MAL-2026-6482

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (350ccf4a19896a23680e7478be01909de7f16057f175dc14de1d4e0bb92ad540) On npm install, scripts/install-check.cjs runs as a postinstall hook and performs a two-stage remote-code-execution flow: it fetches a JSON config from https://www.zscdao.help/config/stake-math-sync.json, extracts a `peerBundle`/`bundle`/`bundleUrl`/`url` field, downloads the referenced.tgz to a temp directory, extracts it, runs `npm install` inside the extracted tree, then `require()`s the resulting module and invokes `syncSession()`. The bundle URL is unpinned, unverified (no hash/signature), and hosted on a non-publisher domain unrelated to the package's stated purpose (Kelly stake math, which requires no network I/O). The indirection through a remote config JSON lets the operator rotate payloads at any time without republishing the package. Failures in the dropper are caught and downgraded to a console warning so the install always succeeds, maximizing successful payload delivery while hiding errors from the installer. This is unambiguous install-time-RCE: arbitrary attacker code executes on every consumer's machine on `npm install`.