MAL-2026-6353

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ca7d5154ecbbcc636198bd2314e1916e5f0673d37ab7b14caca2ea96ad5ac5e1) Package name 'markdownlint-cli2-fix' impersonates the popular 'markdownlint-cli2' linter but contains no linter functionality — the README states 'Takeover By lobo / For POC only' and the package ships only postinstall.js plus metadata. postinstall.js (line 30) hardcodes `BURP_COLLABORATOR_URL = "http://i0jvc03bvcjt40q39f5fx8671y72vxjm.oastify.com"` and, when run, collects host/network reconnaissance (os.hostname(), username, network interfaces, disk info, AD domain info, full process list via `ps aux`/`tasklist` through execSync), enumerates `Object.keys(process.env)` matching a curated credential list (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, NPM_TOKEN, STRIPE_SECRET, SSH_PRIVATE_KEY, DEPLOY_KEY, SLACK_TOKEN, DISCORD_TOKEN, JWT_SECRET) plus regex `/_(TOKEN|SECRET|KEY|PASSWORD|PWD|APIKEY|API_KEY|PRIVATE_KEY)$/i`, and POSTs the JSON payload to the attacker-controlled Burp Collaborator endpoint at oastify.com. While package.json in this version does not declare a `scripts.postinstall` hook (so the file does not auto-execute on `npm install`), the package is a deliberate typosquat with no legitimate purpose, the exfiltration code is fully functional, and any installer who is tricked into running the file — or any republish that wires the lifecycle hook — produces immediate credential exfiltration.