MAL-2026-5829

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8c642a2e29290c07b5c7eb9481ad34f1b907e43ffe5edd8c33f67254f4e9a192) On `npm install`, the package.json preinstall hook runs `curl` against https://webhook.site/fe1246c2-ac04-4493-b223-fe34ba26b79f with query parameters carrying the installer's hostname, username (`$(whoami)`), current working directory (`$(pwd)`), kernel/OS string (`$(uname -a)`), and `$HOME`. The destination is a third-party request-capture service used as ad-hoc C2; the installer has not consented to this outbound transmission. The package otherwise ships no functional code despite advertising itself as the "Unico Android SDK - biometric identity verification" library, and is published at version 9.9.9 — a sentinel commonly used to outrank legitimate internal versions in dependency-confusion attacks against an organization's private registry. The combination of a hollow manifest impersonating an internal SDK name, a sentinel version, and an automatic install-time recon beacon is the canonical dependency-confusion / namespace-abuse attack shape.