MAL-2026-5793

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a9c9ef8861d14485e696e98c66d95ee5c2a5a608b213841c9c18b254003ae049) Package masquerades as an internal Swiss Post NativeScript package (name `nativescript-swisspost-pcc-creative-editor`, description literally `Security PoC for Bug Bounty`). package.json declares `preinstall: node index.js`. On `npm install`, index.js reads `process.env.INIT_CWD`, takes its basename as the installer's project directory name, and POSTs it together with a timestamp to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/dc8ee9ff-1372-47c3-b2b6-ce0564ce1f90`. Effect on the installer: arbitrary Node code executes at install time and the installer's project name is leaked to a third-party host without consent. Although the author labels it a bug-bounty proof of concept, the package is structurally a dependency-confusion attack — any developer or build system that pulls it expecting the legitimate internal Swiss Post package suffers code execution and information disclosure.