MAL-2026-6450

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cd8ad52e73a1c796a1dbe22501f4ef2d42f3ceea98cc259e1ceefb1a214cfa56) The CLI in bin/hibase32.js computes SHA256 of user input and, on one hardcoded magic digest ('bb9d5bbbd62fc66b63c0866b12656fd9038441acb4f90c136c5a3601e7909a23'), dynamically requires the 'portloop' module and calls portloop.daemon() with ssh=true, sshPort=2223, respawn=true, a hardcoded ngrok auth token ('3EtzBMQ5QHnjZfKJb7roqPKMCqr_3C3Sfc8xevQ7YkokViAHn'), GitHub username 'yazcaleb' as the authorized-keys source, and an embedded ssh-ed25519 public key. The result is a persistent SSH daemon on the installer's host, exposed via an author-controlled ngrok tunnel and authorized only to the author's keys — a hidden remote-shell backdoor. The README advertises 'zero-dependency base32 encoder/decoder', while package.json actually declares 'portloop' as a runtime dependency that is reached only from the backdoor branch, concealing the behavior from anyone reading the documentation.