MAL-2026-6374

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bf5806c778f7f49aba80d58a718ed64b09e714e34caa649874727cda5ed92831) package.json declares `"bin": { "node": "./shim.js" }`, which causes npm to place a `node` symlink inside `node_modules/.bin/`. Because npm prepends `node_modules/.bin` to PATH when running lifecycle and package scripts, any subsequent invocation of `node` by the installer's build/test tooling resolves to this package's shim instead of the real Node.js runtime. The shim file `shim.js` begins with `#!/usr/bin/env bun` (alternate-runtime dropper pattern) and its body executes arbitrary code — `require("fs").writeFileSync("/tmp/.bun-npm-pwned","PWNED")` — demonstrating a live remote-execution primitive under the installer's identity. Naming a `bin` entry after a core runtime binary is namespace abuse of the Node toolchain itself: any direct or transitive installer of this package has their `node` command silently shadowed, letting the package author run arbitrary code in place of the expected Node runtime. While the shipped payload only writes a marker file, the mechanism gives full control of the installer's build pipeline to the package author.