MAL-2026-6543

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095) package.json declares `"postinstall": "node index.js"`, so `npm install express-initial` automatically runs the package's main script. index.js is heavily obfuscated (obfuscator.io-style 317-entry RC4-encoded string array, base64 decoder, array-rotation self-shuffle, control-flow flattening) which hides the destination URL, AES key material, and command strings from any plain-text inspection. At runtime the script imports http/https, fs, path, os, crypto, and child_process, performs an HTTPS GET against a hard-coded remote host, splits the response on ':' into IV and ciphertext, decrypts via `crypto.createDecipheriv('aes-256-...', <sha256-derived key>, Buffer.from(iv,'base64'))`, writes the decrypted bytes into `path.join(os.tmpdir(), <name>)` with flag 'w+', and immediately invokes the dropped file via `child_process.exec`/`execFile` with `windowsHide: true`. This is a fetch-decrypt-and-execute dropper firing on default install. The package name also leverages the popular `express` framework while shipping empty author/description/repository metadata and a generic README that itself notes the script is obfuscated — consistent with a deliberate supply-chain lure rather than a legitimate helper.