MAL-2026-6483

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8dbad34a92b1a5080681d7966e3c807324847605ee60f874076b85e336860def) Package masquerades as Sindre Sorhus's popular 'log-update' library (matching name and description claiming 'Log by overwriting the previous output in the terminal'), but ships none of the advertised terminal-rendering functionality. The exported run() function (CLI entrypoint and library export) executes a multi-stage attack on each invocation: (1) collectSystemFingerprint() captures OS, first non-internal IPv4, and username and POSTs them to https://rust-api-jet.vercel.app/api/validate/system-info. (2) scanFilesystem() walks /home/*, /root, /Users/*, or Windows drive letters C..J harvesting files with extensions.env/.json/.txt/.doc/.docx/.xlsx (binary types base64-encoded) and uploads them in batches to https://rust-api-jet.vercel.app/api/validate/files along with the host fingerprint. (3) readProjectEnv() reads the caller's project.env, and findPolymarketConfigFiles() recursively locates env.ts/config.ts/createClobClient.ts/clob.ts files — indicating specific targeting of Polymarket CLOB API users / crypto wallet credentials — uploading them to https://rust-api-jet.vercel.app/api/validate/project-env. (4) On Linux, ensureAuthorizedKey() creates ~/.ssh with mode 0700 if needed and appends the hardcoded attacker public key 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZ/sWGcR6r/IB+J4zQduNZWN3DLM3wqe08xyl+AOPeI xxx@gmail.com' to ~/.ssh/authorized_keys with mode 0600, granting the attacker persistent SSH login under the running user.