MAL-2026-6491

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb) The package ships a binding.gyp file (line 6) containing GYP command-expansion syntax (`<!(...)`) inside the targets/sources fields. npm implicitly runs `node-gyp rebuild` whenever a binding.gyp is present — even without a declared install/postinstall script — and GYP evaluates `<!(...)` as a shell command during the configure step. This causes arbitrary code execution on the installer's machine on default `npm install`, functionally identical to a lifecycle hook. The package does not ship any native source files (no.c/.cc/.cpp/.h) that would justify a real node-gyp build configuration, indicating the binding.gyp's sole purpose is to run the embedded shell command. The package name also impersonates the legitimate hexo-deployer-* ecosystem combined with Cloudflare's wrangler tooling, a typical lure pattern.