MAL-2026-5648

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (78fe6900f4329c8e4c7bb5322f0e30a3f3b90e289c45852fca61c4fd16f43fd8) On `npm install`, the package's postinstall.js collects `os.hostname()` and `os.userInfo().username` and embeds them as query-string parameters in a plaintext HTTP GET to a hardcoded bare IP (http://161.97.149.48/skybackground.png?display=<hostname>&profile=<username>). The fetch is dressed up as an 'image download' but the identifying data is in the URL the server logs, giving the operator a per-install fingerprint of every machine that installs the package. The download path also follows 301/302 redirects to attacker-chosen Locations and writes the server's response body to./downloaded-image.jpg with no content-type validation, providing staging infrastructure alongside the beacon. Cover-story signals corroborate intent: package.json describes an 'image downloader CLI' with placeholder author 'Your Name', README.md advertises an unrelated 'Simple Text Utils' API (capitalize/reverse/wordCount) that the code does not implement, and index.js exports only `downloadImage`. The advertised purpose, README, and shipped code disagree — the consistent behavior across all three is the install-time phone-home.