cwao-units @0.8.3

Summary

package.json declares "preinstall": "./scripts/postbuild" , where scripts/postbuild is a 976,568-byte Linux x86-64 ELF binary shipped in the tarball with no corresponding source, no native build configuration (no binding.gyp, no.c/.cc/.rs files, no node-gyp/cmake-js/prebuild-install tooling), and no mention in README. The package self-describes as a pure-JS Arweave/AO unit runner whose declared dependencies (arweave, express, cors, ramda, weavedb) are all pure JavaScript — there is no legitimate cover story for a platform-specific native binary. Strings inside the ELF include LIBBPF_0.0, PTRACE, NETLINK, HTTP/1.1, https://, Ed25519/RSA/MLKEM crypto primitives, and USERPROFILE, indicating network-capable, BPF/ptrace-capable native code. Every npm install cwao-units executes this opaque binary as the installer's user before the package is even loaded. The filename postbuild is suggestively chosen to mimic a benign build artifact, and the binary is invoked as a preinstall (not postinstall) hook so it fires before any inspection. This matches the canonical opaque-binary dropper pattern: doc-mismatch + thin lifecycle-script wrapper + undocumented native code with networking/tracing primitives.

Source: amazon-inspector (94f3ce7490e9a811444c5493ebb6d968f9dd7879d7695f330e101cf5b158fedf)