MAL-2026-5984

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9fc0d0609f88630f7ce36adf18c70a1d6bd3d64aaaa059a3b8ec9b97b813705a) On `npm install`, lib/_init.js spawns a detached Node child process that collects host identifiers (hostname, username, cwd, IPv4 addresses, Node version, npm registry) and the names of environment variables matching /NPM|NODE|CI|JENKINS|GIT|BUILD|RUNNER|DOCKER|KUBE|REGISTRY/, then HTTPS-POSTs the data to a hardcoded DingTalk robot webhook (oapi.dingtalk.com/robot/send) with a Chinese title meaning 'someone came online'. The script also contains explicit sandbox-evasion logic at lib/_init.js:9-12 that no-ops when the username or hostname contains 'sandbox', 'malware', 'analyst', 'cuckoo', 'analysis', or 'sample' — a clear intent signal designed to hide the beacon from automated analyzers. The collected fields plus the CI/registry-focused env-name filter are the canonical dependency-confusion reconnaissance pattern: identify which organizations have pulled the package by mistake and harvest target intel for follow-on internal-package attacks.