MAL-2026-5622

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3fe99986935f0b2d200c3192dfc07fc1b6da96c78ac8a4f0a67aa23771e82709) @whatnot-web/www-legacy@99.1.1 is a dependency-confusion shell targeting the Whatnot org scope. The package ships an empty library (index.js exports `{}`), a generic description, blank author, and an inflated version (99.1.1) — the canonical dependency-confusion shape designed to win resolution against an internal package of the same name. On `npm install`, postinstall.js collects os.hostname(), os.userInfo().username, process.cwd(), and a 2-level directory listing of the working directory, base64-encodes the JSON payload, and POSTs it via HTTPS to the hardcoded interactsh collector wybqtvzmfhssbvhokfgb61yfn41sqvc9c.oast.fun. A hex-encoded DNS-lookup fallback to the same host is included to defeat HTTPS egress filtering. The collected information identifies internal build hosts and source-tree layouts and is suitable for staging follow-on attacks against the targeted organization.

## Source: ossf-package-analysis (e45700e1f6645fd91fddc41fc131df1dfe2df1e3b0c049661f1185f61010fd24) The OpenSSF Package Analysis project identified '@whatnot-web/www-legacy' @ 99.1.2 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.