MAL-2026-6368

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (864677541e3090100ca588a37d8eb525f74817ade2fce5cb3e265af45b0c4e9a) The postinstall script scripts/sync-peer.cjs runs `npm pack decimal-format-utils@1.0.1` (or whatever version is configured via BACKUP_TARGET_VERSION/BACKUP_PAYLOAD_SPEC), extracts the resulting tarball, overwrites every file of the installed v1.0.0 package in place via fs.cpSync over the package root, and then require()s the replaced index.js and awaits from_str(). The effect is that `npm install decimal-format-utils@1.0.0` executes code from a different, publisher-mutable version at install time, bypassing lockfile pinning and giving the publisher a live remote code execution channel into every install. The package additionally impersonates the big.js maintainer: package.json sets `author: Michael Mclaughlin` and `repository.url: https://github.com/MikeMcl/big.js.git`, and the README falsely claims the package is pulled in automatically as a dependency of big.js@6.2.x. big.js declares no such dependency. The impersonation appears designed to lure installers into trusting an unrelated publisher whose postinstall then executes arbitrary fetched code.