MAL-2026-5521

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (eb75510e87a08a5152331461c2b2b955ad21d418c8d2055f5f66ec15e22cf042) On `npm install`, the postinstall hook runs `node index.js`, which performs an HTTPS POST to `https://f1ackavab3.execute-api.eu-west-2.amazonaws.com/` carrying the installer's hostname (`os.hostname()`) and current working directory (`process.cwd()`) as JSON. The package has no other functionality. The scoped name `@helpcentre/tesco-help` targets a Tesco-branded internal namespace, and the inflated `999.0.0` version is the canonical dependency-confusion technique used to override a private package of the same name when an installer's registry config falls back to public npm. Installers who resolve this package leak host-identifying reconnaissance data to an attacker-controlled API Gateway endpoint, enabling targeted follow-on attacks against the affected build environment.