MAL-2026-5803

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (244fb3d5df39fbdba24f9a22b86d0bca43667f3376a9529d5cc84e411f11a28f) On `npm install`, the package's preinstall lifecycle hook executes index.js, which collects host identity (hostname, username, cwd) and enumerates process.env, filtering keys against the regex /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i. The collected JSON is POSTed over HTTPS to a hardcoded bare IP destination (https://2.25.140.71:8443/surflending/npm-confusion). The package provides no legitimate functionality; the path component 'surflending/npm-confusion' and the 9.9.9 version (a version-bump pattern used to win dependency-confusion resolution) indicate a directed dependency-confusion attack against an internal Cardano/SundaeSwap-related package name. Any installer with wallet-related secrets in environment variables (mnemonics, private keys, blockfrost tokens, telegram bot tokens, redis credentials, batcher keys) loses them at install time.