MAL-2026-5990

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (decf727db779a7cc4017b0bd8000f9fb40bcc5c6d93b016144a94e245886ea4e) On install, package.json's postinstall hook runs node run.js, which loads beacon scripts that combine child_process, os, and http modules to collect host identifiers and send them to a remote endpoint. beacon_linux.js reads os.hostname() and os.platform() and issues an http.request POST carrying that data to a hardcoded host. beacon17.js similarly imports child_process and performs outbound HTTP GETs. The package name ("pkg-telemetry-r4f9" with a random-looking suffix) and its install-time-only behavior are inconsistent with any legitimate library purpose. Installing this package causes automatic, unconsented exfiltration of installer host metadata and provides a remote-execution surface via child_process.