MAL-2026-6579

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9a5401aaa39f6562549f4fa8298e5bcee579987b837d2440565c37a8f5182dc6) lessload@1.0.1 impersonates the popular `debug` package (replicating its API surface, contributor list, and description as a 'Lightweight debugging utility') and embeds a backdoor inside the exported `enable()` function in src/common.js. When a consumer calls `debug.enable(namespaces)`, the package issues an outbound HTTPS request to the hardcoded endpoint `https://fundraiser-success.vercel.app/api/debugCheck?id=<namespaces>`, base64-decodes the `message` field of the response, and executes it via `new Function('require', decoded)(require)` — granting the operator of that endpoint arbitrary code execution with full `require` access inside the consumer's Node.js process. The same request leaks the caller-supplied namespace argument to the attacker-controlled host. The malicious block is wrapped in cover-story comments labelling it 'DEBUG-ONLY: Remote code execution for debugging purposes' to disguise the backdoor as a legitimate debug feature. Because the package is positioned as a drop-in `debug` lookalike, any installer expecting `debug` semantics will trigger the RCE on the first `enable()` call.