MAL-2026-4543

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a314a5b253dcb30b2781bda216266b7ab1b49b62eec416bd9be07b48ab46a348) On npm install, postinstall.js collects git identity, OS user/uid, hostname, internal network interface addresses, Cloudflare Pages environment variables, and directory listings of ~/.ssh, ~/.aws, and ~/.kube (first 5 entries of each), base64-encodes the payload, and sends it as a query string via an HTTPS GET to ho9skv69a3pbqzbzg7z1l009c0ir6hu6.oastify.com — a Burp Collaborator out-of-band exfiltration host. The script also implements explicit sandbox evasion: it returns early if the current working directory starts with /tmp, contains 'npm-', or HOME is unset, with a 'Diagnostic/2.0' User-Agent cover story. The targeted directories (~/.ssh, ~/.aws, ~/.kube) reveal credential filenames (id_rsa, credentials, config) suitable for follow-on targeted theft. The package name shape and dependency-confusion-style high version (99.12.9) are consistent with an internal-name squat reconnaissance payload.

## Source: ossf-package-analysis (8ba8e61a99e8c6f42a14cbd3d6c403d6f064b4e3cebca968e3d26807fdfa489b) The OpenSSF Package Analysis project identified 'customerdigital-ui-containers-lib' @ 99.13.9 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.