MAL-2026-6243

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cf7c54cd0923afe13aadf778a5c213363c521e7a50c4b9e235bf6c7cf58a973d) On `npm install`, the package's postinstall hook (`node install.js`, declared in package.json) harvests secrets from the installer's machine and POSTs them to a hardcoded attacker-controlled webhook at https://webhook.site/22e20640-e2a1-4bb2-b203-061077d055ff. Collected data includes: a long list of named environment variables (COINBASE_*, OPENAI_API_KEY, AWS_ACCESS_KEY_ID/SECRET, JWT_SECRET, PRIVATE_KEY, MNEMONIC, etc.); the contents of `.env`, `.env.local`, and `.env.production` from the current working directory and parent directories; files under `~/.ssh/` filtered for content containing `PRIVATE` or `KEY` (private SSH keys); `~/.aws/credentials`; `~/.npmrc` (npm auth tokens); and the output of `git config --list`. The source uses a constant explicitly named `EXFIL_SERVER` and labels the operation as a collection target. The package also masquerades as an internal AtlasOra package — the console output prints `@atlasora/shared: installed successfully` while the actual package name is `atlasora-utils`, consistent with a dependency-confusion lure targeting developers of the AtlasOra project.