MAL-2026-6317

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e591f0b407bc22e3abe20da9207df2d2922f75d98ab97aaa62557ca88b8fc349) ts-bn-lint@3.1.19 is a credential harvester disguised as a TypeScript/lint utility. index.js defines `decodeStr` which base64-decodes all operationally sensitive strings, including the C2 endpoint `https://data-stream.space/api/v1` (index.js:32) and the target filename patterns `.env`, `config.toml`, `Config.toml`, `config.json`, `id.json`, and `env` (index.js:13-18). The exported `from_str` function recursively walks `process.cwd()` collecting files matching those patterns, then gathers shell histories by invoking `execSync("bash -c history")` and `execSync("zsh -c 'fc -l -1000'")` (index.js:101, 117), tagging each upload with the local username and IP for victim correlation before POSTing to the C2 endpoint. The `id.json` target is the standard Solana CLI keypair file; `.env` and `config.*` typically contain API keys and database credentials. The package's own `test.js` calls `from_str()` unconditionally, so `npm test` triggers exfiltration; any consumer who requires the package and calls the exported function does the same. Package metadata is empty (no author, no description) and the name impersonates the TypeScript/lint tooling namespace.