MAL-2026-4807

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6e9e3e4e8e9e12bac20967fa551c549a93915b33007d7e54f8bfe0eed26a216e) On `npm install`, the package's postinstall script (`postinstall.js`, run via `scripts.postinstall = 'node postinstall.js'`) collects host identity — `whoami`, `id`, `os.hostname()`, `os.platform()`, current working directory, and the env vars `CI`, `GITHUB_REPOSITORY`, `NODE_ENV` — and sends them to the hardcoded attacker-controlled host `svr57aylqme3zald4p0psi1hw827q1eq.oastify.com` (a Burp Collaborator / OAST canary domain) via both `https.get` and DNS lookup. The package name `shop-minis` and self-described 'Security research canary — shopify' impersonate Shopify's Shop Minis platform, so any developer expecting that namespace would unwittingly leak host recon to the canary operator's collaborator instance. The package ships no real functionality matching its name; the only effect of installation is the exfiltration beacon.