MAL-2026-6259

respects-switch is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.0.0, the canonical floating-version bait used to outrank a private-registry package of the same name so that build pipelines preferring the highest available version resolve and install this public package instead. It belongs to the same r0binak dependency-confusion campaign as carousel-controller-mixin (MAL-2026-5856) and setka-editor (MAL-2026-5859). Packages in this campaign declare both preinstall and postinstall hooks that run callback.js on every npm install; the script collects installer identity and environment data (username, uid/gid, hostname, homedir, cwd, platform, Node version, local network interfaces, and the external IP via api.ipify.org) and probes for CI/cloud credential environment variables (AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN, DOCKER_PASSWORD) plus GitHub Actions context. The collected data is exfiltrated to a hardcoded Discord webhook and via a DNS side-channel (base64-encoded host data prepended as a subdomain and resolved with dns.resolve()) to defeat egress HTTP filtering on CI networks. Regardless of the stated research intent, install-time exfiltration of host data and credential-presence flags is harmful to any pipeline that resolves this name.