MAL-2026-5524

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4218505b74ba258cea12df713bbc27db9fa58d6660cf83e6d0c5fd8a9f68a4c2) package.json declares a preinstall script that runs on every `npm install`. The script uses `node -e` to require `os` and `https`, reads `os.hostname()` and `os.userInfo().username`, and exfiltrates them to `d8kn5vlt5p5h1j34mbcgbx1nffwjobfoh.oast.fun` (an Interactsh OAST callback host) via both an HTTPS GET with the values in the query string and a DNS lookup with the hostname embedded in the subdomain. The package combines this active exfiltration with a textbook Alex Birsan dependency-confusion shape: an internal-looking scope (`@orion-design-system`), an absurdly high version (`9999.0.0`) designed to win version resolution against a private registry, and a README that explicitly names the target organization (Cloud Imperium Games / Roberts Space Industries). Any build system misconfigured to resolve the public copy over a private internal package will leak host identifiers to the attacker-controlled OAST endpoint at install time. 'Authorized research' framing in the README does not neutralize the install-time payload — the script fires unconditionally on any installer that resolves this package.