MAL-2026-5858

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (01ad2ee3d3807102a3f02c01af0d3fec46d91e9764eb77a8bcedf9c6be7fc3b0) Package declares `"postinstall": "node run.js"` in package.json, causing automatic execution of bundled beacon scripts on `npm install`. beacon29.js loads `child_process`, `https`, and `fs`, reads files via `fs.readFileSync` and reads `process.env`, gathers host identity (`process.platform`), and POSTs/GETs the data to remote endpoints; it also references `https://registry.npmjs.org` and `https://npm.pkg.github.com`, consistent with credential/token harvesting and potential self-propagation through registry APIs. beacon_linux.js mirrors the pattern on Linux: `require('child_process')` + `require('http')` + `os.hostname()` + `os.platform()` followed by `http.request(...)` POST to a remote host. The package's stated 'metrics pipeline' name is a cover; the only behavior on install is host fingerprinting and outbound exfiltration. Installing this package on a developer or CI machine causes immediate compromise: environment variables (which commonly hold cloud and CI tokens), file contents, and host identifiers are sent to attacker-controlled infrastructure without user interaction.