MAL-2026-6299

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a1ab4349bcc1e8f4434817d242b136f6e6050d4acb234aa833d81ffd74942066) The package's postinstall hook (install-hook.js, invoked via package.json scripts.postinstall) fetches an opaque binary 'payload.bin' from https://github.com/Dimitrijenco/Sticky_note/releases/download/v6/payload.bin — a third-party GitHub release on an account unrelated to the package's claimed author. The downloaded bytes are XOR-decrypted with key 0x42, then loaded into the installer's process: kernel32.dll is loaded via koffi, RWX memory is allocated with VirtualAlloc, the decrypted PE is copied via RtlMoveMemory, VirtualProtect is applied, and CreateThread is started at the parsed PE entry point. This is in-memory shellcode/PE injection on Windows developer machines, executing arbitrary attacker-controlled native code on `npm install`. After launching the payload, install-hook.js writes a cleanup.js that, after a 3-second delay, runs `cmd /c rmdir /s /q` on the package folder, removes 'analysis-chart' from the host project's package.json, unlinks install-hook.js, and self-deletes — anti-forensic evidence removal so the developer cannot inspect what ran. The package's index.js exposes a plausible-looking chart statistics API (stats, outliers, trend, correlation, movingAverage, analyze) that is functionally unrelated to install-hook.js and serves as decoy cover; author metadata 'Elena Vogt <elena@analysis-chart.io>' and the referenced repo appear fabricated.