MAL-2026-6326

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4a262e70316cd74a87b043cd1985e456639781763d4a3ef69aa09d99a2795154) Package name, README, repository URL, contributors, and module structure are copied from the legitimate '@ethereumjs/util' / 'ethereumjs-util' package, presenting itself as a drop-in for that widely-used Ethereum utility library. The compiled Node entry dist/index.js contains a side-effect-only `require("assertcore")` at line 60 (no symbols from the module are used), and assertcore is declared as a runtime dependency (^3.1.7) in package.json. This `require` is absent from the TypeScript source src/index.ts and from the browser bundle dist.browser/index.js — it was injected into the shipped Node bundle after the build, a deliberate smuggling pattern. Any consumer who installs web3-eth-utils believing it to be the real ethereumjs util package will pull assertcore into their dependency tree and execute its top-level code at every `require('web3-eth-utils')`, handing arbitrary install/require-time execution to the assertcore maintainer.