MAL-2026-5741

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c3dc0d7b5fc216ae117dda9c492a6bbdff46e49ab53f069c2d525dab001bcdb9) package.json declares scripts.postinstall = `node postinstall.js`. On every `npm install`, postinstall.js runs `execSync('id')` and POSTs a JSON body containing the `id` output, `os.hostname()`, platform, architecture, `process.cwd()`, and Node version to the hardcoded URL `https://webhook.site/fceebb0d-9f11-4ac0-98db-6f6b3925f7d3` (postinstall.js line 14, exfil call constructed via `https.request` at line 21 with POST at line 24). The behavior is unconditional, undisclosed in the README (`Does nothing much`), and fires on a default install. Although the package self-describes as a POC, the install-time mechanism is identical to an active reconnaissance/exfiltration payload: any developer or CI machine installing this package leaks its identity (uid/gid/groups via `id`, hostname, cwd, platform) to an attacker-readable webhook bin.