MAL-2026-6132

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fc05e6833390f96b1a53f5d1612e613436e5002673da2f7a8c1e8e9f9f41c525) package.json declares `preinstall: node index.js`, which fires automatically on `npm install`. index.js collects hostname, platform, architecture, home directory, username/uid/gid/shell, OS details, the output of `whoami` and `id`, and the current working directory, then POSTs the JSON payload to a hardcoded collector URL `https://webhook.site/4f54203c-996c-4f52-b136-ef9b1fd0f64d/detox56` (index.js:7, index.js:108). The package has no functional code — empty author, empty description, and a bizarre version string `99.21.1-1.21.199` consistent with a throwaway dependency-confusion / recon probe. Installing this package leaks installer identity and host fingerprint to an attacker-controlled collector, enabling targeted follow-on attacks against the developer or build environment.