MAL-2026-6363

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (74384b76540c8d36fef8a30dc2acd3224defeaa8a58d0155101f2f670aa8b153) The package's main module (index.js) exports an `init()` function that spawns `/bin/bash` via `child_process.exec` and opens a TCP socket to the hardcoded remote address 49.13.148.41:443, piping the shell's stdio through the socket — a textbook reverse-shell backdoor giving the operator at that IP interactive command execution on any host that calls `init()`. Package metadata is consistent with a throwaway attack vehicle: empty `description`, empty `author`, non-descriptive name `npmkekw`, and no other functional code. The payload as shipped contains a typo (references an undefined `sh` variable and pipes from `cp.stdout`) so it crashes on first use, but the intent and structure are unambiguous and a one-character fix would make it functional.