MAL-2026-6357

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f7a4ba7e8664b9e1d99c4018963a4731d591653d7f2a9b879ba090e7a7f6e7bd) Although the package presents itself as a 'theme color picker', package.json identifies the publisher as analysis-chart.io with repository analysis-chart/analysis-chart, and the shipped lib/picker.js is a Windows dropper unrelated to any color-picker functionality. lib/picker.js (line 11) downloads https://github.com/Analysis-Chart/analysis-chart/releases/download/v1/payload.bin.enc, XOR-decrypts the response with key 0x42, base64-decodes it, validates an MZ/PE header, writes the resulting DLL under %APPDATA%/Microsoft/Windows with a randomized name, and executes it via rundll32. It then registers a Scheduled Task named 'WindowsUpdateService' to re-launch the DLL at logon with HIGHEST privileges, deletes the package files from node_modules, and rewrites the consumer's root package.json to remove the 'analysis-chart' dependency entry to hide its tracks. package.json declares scripts.install: 'node lib/chart-loader.js', wiring auto-execution at npm install; the dropper logic is colocated in lib/ alongside that hook. The user-facing index.js color-picker is cover. Installer impact: Windows machines that run `npm install` of this package fetch and execute attacker-controlled native code with persistence; the malicious tree then self-removes from node_modules and the root manifest, complicating detection.