MAL-2026-5520

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0de4bc9f19feea718e091e9b0a480e9b939cdffa88109375020895c99efa489c) On `npm install`, postinstall.js executes automatically and collects host identity and environment details using `os.hostname()`, `process.cwd()`, and filesystem reads, base64-encodes the data via `Buffer.from(...).toString('base64')`, and exfiltrates it through both DNS lookups (`require('dns')`) and HTTPS requests (`require('https')`). The dual-channel base64 exfiltration shape (DNS tunneling plus HTTPS POST) combined with collection of system identifiers is the canonical install-time data-theft fingerprint and provides direct attacker benefit: any machine running `npm install` for this package leaks identifying information to an external destination automatically, before the user has reviewed any package code.