MAL-2026-6536

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7b7fccd6dbb7ba8a92be0bcbb002f92c43ff0c5e4bb82666589834a7be69e6bf) @krentzen/buffer-reverse impersonates the well-known buffer-reverse package (it copies the legitimate author, repo URL, README, and the genuine ~10-line reverse() function at the top of index.js as a cover story). Below that cover, index.js contains two ~46KB heavily obfuscated IIFEs (RC4 string-array decoder, anti-debug, control-flow flattening) that run at require() time. The decoded payload performs an import-time binary dropper sequence: it re-spawns the current Node process with child_process.spawn(process.execPath, argv, {detached:true, stdio:'ignore', env:{...process.env, <marker>:set}}).unref() and returns in the parent (detaches from the consumer / npm install), then in the child issues an HTTPS GET (port 443) with full redirect handling (301/302/303/307/308), streams the response into a file under os.tmpdir(), writes a <file>.json sidecar containing {status, size, sha256, downloadedAt}, fs.chmodSync(file, 0o755), and child_process.spawn(file, [], {detached:true, stdio:'ignore', windowsHide:true}).unref(). The fetched binary is unpinned, unsigned, and has no publisher tie-in. Any project that require()s this package executes attacker-controlled native code that survives the parent process.