MAL-2026-6526

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (00eb86df154a9532085ad285ee63cd4c4f9a95a6fe983b9930cd059dfb4cb3f5) The package ships a binding.gyp at the package root whose targets/sources fields contain GYP command-expansion syntax (<!(...)) at line 6. npm implicitly invokes node-gyp rebuild whenever a binding.gyp is present, even without any declared install/postinstall script, and node-gyp/GYP evaluates <!(...) as a shell command during the configure step. This causes the embedded command to execute on every `npm install` of this package as a transitive or direct dependency. The package presents itself as a Backstage GitLab plugin (a pure TypeScript/React frontend plugin), a category that has no legitimate need to build a native addon — and consistent with that, no C/C++ source files are shipped alongside binding.gyp, so the file's only effect is to run the embedded shell command at install time. The traced content of this install-time code path was withheld by the upstream model's malware-output safety filter, which is itself a corroborating signal that the executed content reads as operational malware rather than benign build logic.