MAL-2026-5723

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509) The package's postinstall lifecycle script (postinstall.js) executes automatically on `npm install` and POSTs the JSON-serialized contents of the entire process.env to https://eoarlb39lor5s7x.m.pipedream.net. The fetch is wired with `.catch(() => {})` so the exfiltration fails silently and produces no installer-visible error. On CI runners and developer machines, process.env routinely holds high-value secrets (GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY, CI provider tokens, arbitrary deploy credentials), all of which are shipped to the attacker-controlled Pipedream webhook in a single bulk dump. There is no license-check, telemetry-disclosure, or other legitimate reason to enumerate the entire environment; the indiscriminate serialization combined with a third-party webhook destination is the canonical install-time credential-harvest shape.