MAL-2026-6476

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (593662d3b4cda901642b713f419417807a33f3dca74e818f66e8d0cf9ebcf6e3) On `require('typedecode')` / `import 'typedecode'`, the bundled `dist/index.cjs` and `dist/index.js` execute an obfuscated import-time payload. A `bootstrap.js` IIFE exposes `require` and `module` on `global`, deobfuscates two large strings through a custom permutation (`YWG`), constructs a function via the `Function` constructor (`AQq(erE, YWG(fvm))`), invokes it on a second decoded payload to produce `XZs`, then calls `XZs(7942)` and brands `global._V = 'A6-Shadow-15'`. The deliberate placement of `require`/`module` on globals before the IIFE allows the decoded code to dynamically load arbitrary Node modules (fs, http, child_process, etc.) without any static reference. The package's API surface and inline comments are copied verbatim from the legitimate `decoders` package by nvie (including the email-regex comment and the pojo detection comment), and the README API (`object`, `array`, `optional`, `string`, `number`, `email`, `url`, `uuid`, `decode`/`verify`/`value`, `formatInline`, `formatShort`) duplicates that library — an impersonation lure to drive installs of the hidden loader. Author is the placeholder-style `chavanetsanastasia-netizen`.