MAL-2026-5784

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b81c6b9e59e86c40858cb47e91d597b3776fea71def7feb3ca11833625fa3923) On `npm install`, the package's preinstall hook (`node postinstall.js || true`) executes automatically. The script collects hostname, username, and current working directory, then iterates process.env and filters keys matching the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i, capturing CI tokens, SSH keys, deploy credentials, cloud API keys, RPC/wallet secrets, and similar. The collected JSON payload is POSTed via https.request to the hardcoded bare IP 185.130.46.35:8443/collect. The package metadata reinforces the attack shape: version 999.0.0 and description "Internal package" are the canonical dependency-confusion pattern, intended to override an organization's internal `vaults-monitor-cron` package. The `|| true` suffix on the preinstall command swallows errors so the install appears to succeed silently. There is no legitimate functionality in the package — its sole on-install effect is credential exfiltration.