MAL-2026-6439

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (657363aaa0b94385d30a26c1f4ee67923b0d877975850ad08f8364c2a901d8e7) On `npm install`, the package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://log-taker.store/config/stake-math-sync.json, reads a `peerBundle` URL from that config, downloads the referenced.tgz, extracts it into a `.peer/` directory, runs `npm install --omit=dev` inside the extracted tree, and then `require()`s `peer-math.js` and invokes `syncSession()`. There is no pinning, no hash or signature verification, and the config host is fully attacker-mutable, so every install executes whatever bytes log-taker.store is currently serving. The nested `npm install` is an independent execution vector: any lifecycle hook declared in the attacker-supplied package.json runs with the installer's privileges. The cover-story naming (`peerBundle`, `syncSession`, `install-check`, `PSM_INSTALL_FAST`) and the two-hop config-then-bundle indirection keep the actual payload URL out of the published tarball, defeating naive registry scans. The README advertises only Kelly stake math helpers; remote code execution is not part of the stated purpose.