---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (936024fb65d6ab06a1f01fcd765b534812efb873f076e81303d87c0b141bba2b)

package.json declares "preinstall": "bun run index.js", which on npm install invokes Bun to run index.js. index.js detects the host OS and shells out to launch an unrelated local application — open -a Calculator on macOS, calc.exe on Windows, and xcalc/gnome-calculator/kcalc on Linux — via execSync. This is the canonical proof-of-concept install-time RCE payload and bears no relation to the package's stated 'http uploader' purpose. Two independently suspicious structural traits compound the lifecycle behavior: (1) the preinstall hook routes execution through Bun, an alternate runtime fetched outside the normal Node resolution path, matching the alternate-runtime-dropper pattern; (2) package metadata is placeholder/throwaway (author 'sleep', homepage https://git.hfaf.com/urlaa, generic name 'http-uploader-dev'). The PoC nature of the current payload (launching a calculator) does not lower the severity: any installer running npm install http-uploader-dev executes attacker-chosen commands at install time, and a future republish can swap in arbitrary code with no change to the trigger surface.