MAL-2026-6448

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (057e2e470e0bc9dbfd2ff37955c0c7d051cca944025b9d62c882ffc98c4434e5) Package `bs58-86@6.0.1` reproduces the name, README, repository URL (`cryptocoinjs/bs58`), and exported API of the widely-used `bs58` base58 encoding library (>10M downloads/week). The only functional code in `src/cjs/index.cjs` is `require('base62-86x')(ALPHABET)` — instead of depending on the real `base-x` package that genuine `bs58` uses, this package pulls in `base62-86x` (declared as `^5.0.4` in package.json dependencies), an unrelated package controlled by a different publisher. All actual base-x implementation runs out of `base62-86x`, so any developer who installs `bs58-86` thinking it is `bs58` ends up executing whatever `base62-86x` ships, at require time. This is the typosquat-plus-dependency-redirect shape: the lure package is a thin shim whose only effect on the installer is to pull in and execute the redirected dependency.