MAL-2026-5640

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c4a0788a8447c0cc7ef6abd8bc0726849d50c6238ed90b0642e658f8cc20ead8) On `npm install`, postinstall.js executes a shell-based reconnaissance pass over the installer host: it enumerates process.env, runs `find`/`grep -RaoE 'HTB\{[^}]+\}'` across `/root`, `/home`, `/etc`, `/var`, and similar paths, and runs `ps -eo user,pid,cmd` via `execFileSync('/bin/sh', ['-c',...])` to capture a process listing. The collected flag matches and host diagnostics (uid, hostname, cwd, process list) are then PUT as JSON to the hardcoded bare-IP endpoint `http://154.57.164.70:30569/api/modules/ECT-987654`. When a gating check (`shouldReport()` — linux host with hostname starting with `scan-` or cwd containing `/tmp/pkg`) is satisfied, postinstall additionally `mkdir`s and writes the harvested flag/diagnostic content into common web-served directories (`/usr/share/nginx/html/flag.txt`, `/var/www/html/flag.txt`, `/app/public/flag.txt`, etc.), polluting the installer's web roots with attacker-controlled content. The destination is a bare IPv4 on a non-standard port with no relation to any declared publisher; the gating, the secret-pattern grep, and the web-root drop are all consistent with attacker tooling rather than legitimate telemetry.