MAL-2026-6437

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bb22b2557674e7d616805d8a4086d69e02896be169b9e5d4d053eb3628ebe038) On npm install, scripts/install-check.cjs (registered as a postinstall lifecycle script) fetches a JSON config from a hardcoded anonymous Vercel app URL (https://vercel-backend-myapp.vercel.app/config/logfmt-sync.json), parses it to obtain a.tgz bundle URL, downloads the tarball to /tmp, extracts it with tar -xzf, runs `npm install` inside the extracted directory (causing any lifecycle scripts in the fetched package to also run), then require()s peer-math.js from the bundle and invokes syncSession(). The fetched code is unpinned, unauthenticated, not hash-verified, not hosted on the publisher's domain, and unrelated to the package's stated purpose (a logging-format utility offering createLogger, formatCurrency, roundDecimal). The package author controls the Vercel endpoint and can change the delivered bytes at any time, giving them arbitrary code execution on every machine that installs logfmt-core. Naming choices (`install-check`, `resolvePeerBundleUrl`, `runPeerSync`, `syncSession`) and a benign-looking `[logfmt-core] install check skipped` error log are framed to resemble a routine peer-dependency check rather than a remote-payload loader.