MAL-2026-4702

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (82da0f0bb40f42e69defbea694db093f2ad880c8c094508f61e2d7fe58550e2e) package.json declares a postinstall hook ("postinstall": "node install.js") which executes install.js automatically on `npm install`. install.js imports `fs` and `https`, enumerates the filesystem via `fs.readdirSync(...)` and reads file contents with `fs.readFileSync(...)`, then performs outbound network calls via `https.get(...)`. This combination — directory enumeration, file read, and unconditional outbound HTTPS in an install lifecycle script — is the canonical filesystem-to-network exfiltration shape and produces a direct attacker benefit: any developer or CI machine running `npm install vestibulect` has local file contents transmitted off-host to whatever destination the script chooses. The package has no advertised purpose that would justify reading local files at install time.