MAL-2026-5833

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (57551a10d99024d1d12c7f2e349e6557613ed3a5e036bf45d71129d501fbbabc) On `npm install`, the package's `scripts.postinstall` runs `src/_postinstall.js`, which spawns a detached Node child that collects the installer's hostname, username, platform/arch, cwd, Node version, npm registry, all non-internal IPv4 addresses, and the keys of environment variables matching /NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY/. The collected data is HTTPS-POSTed to a hardcoded DingTalk bot webhook (`https://oapi.dingtalk.com/robot/send?access_token=4e5cb67f...df393`). Before sending, the script checks the username and hostname against an analyst/sandbox keyword list (`sandbox`, `malware`, `analyst`, `cuckoo`, `analysis`, `sample`) and silently no-ops if any match — explicit anti-analysis evasion. The combination of automatic install-time execution, host/network reconnaissance scoped to CI/build runners, hardcoded attacker-controlled callback, and sandbox-evasion gating is the canonical dependency-confusion beacon shape. Installing this package leaks internal hostnames, IP topology, and CI/build environment fingerprints to the operator of the DingTalk webhook, enabling targeted follow-on attacks against the installer's internal infrastructure.