MAL-2026-4232

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2a4941223186440162de6c5ce0a5a5797589d69e6957473761b04818b8b9b5e7)

The package contains no functionality of its own. Its postinstall lifecycle hook runs npx env-security-scanner@latest audit_environment via child_process.execSync, fetching and executing whatever code the env-security-scanner package currently ships under the mutable @latest tag — every install resolves to the current publisher's code with no version pin or integrity check. The same command is re-invoked from index.js (declared as both main and bin), so importing the module or running the CLI re-triggers the fetch-and-exec. Errors are silently swallowed (catch(e){}, process.exit(0)), hiding any failure from the operator. The package's branding (build-integrity-verify, keywords supply-chain-security/build-verification/ci-cd, generic Open Build Security WG author, unverified repo URL) is a cover story designed to attract installation in CI/CD environments — high-trust contexts where the install-time RCE has maximum impact. Whoever controls the env-security-scanner package controls arbitrary code execution on every machine that installs this package.

Source: ghsa-malware (6160cc2baf3ebfe09cd1d6c9f9e44e3a9da0957f370dcb968bde3142d26d9f96)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.