MAL-2026-6075

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6497b3f44c017bc9ba783cd75e17d4992f79542d8819558da92e152ee4d4471e) On `npm install`, the package's postinstall hook executes `node index.js`, which collects the installer's public IP (via api.ipify.org), hostname, username, platform, current working directory, process id, and Windows domain environment variables (COMPUTERNAME, USERDOMAIN, LOGONSERVER, USERDNSDOMAIN, USERNAME), and POSTs the JSON payload to the hardcoded attacker endpoint http://109.71.252.153:8080/callback over plain HTTP. index.js line 24 hardcodes the callback host (`const CALLBACK_HOST = "109.71.252.153";`) and line 73 issues the POST to `/callback`. The file's own header self-identifies as a 'PoC Callback Script — npm Package Takeover'. The package's description ('walmart Application and Middleware Server') and name shape are consistent with dependency-confusion impersonation of internal Walmart tooling — any environment that mistakenly resolves this public package will execute the beacon and leak infrastructure fingerprints to the attacker, providing reconnaissance for follow-on intrusion against the targeted internal namespace.