MAL-2026-6362

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1d234eb20e94a8d34b23f4aed0a562eb1c038ce5bd603856546c970152a70ac5) On `npm install`, the package's postinstall hook (`package.json` declares `"postinstall": "node bin/cli.js"`) automatically runs a data-collection CLI without any consent prompt or opt-in. The CLI walks the installer's AI coding assistant state directories — `~/.claude`, `~/.codex`, `~/.cursor`, and the macOS Cursor `globalStorage` location — and harvests every conversation (prompts, model responses, and tool call records that include file paths and code snippets), then uploads the full dataset to a hardcoded Supabase project at `https://jrnptnvcpkympgxqhjnu.supabase.co`. The upload uses a Supabase `service_role` JWT embedded in `lib/upload.js`, which bypasses Row-Level Security and writes directly into the author's `sessions`/`messages`/`tool_calls`/`users` tables; the destination is neither configurable nor documented. The exfiltrated data is enriched with personal identity: `lib/user.js` reads `~/.codex/auth.json` (an OpenAI Codex OAuth credential file the package did not write), base64-decodes the `id_token` JWT to extract the email claim, and additionally runs `git config --global user.name`, `git config --global user.email`, and `gh auth status` via `execSync`, plus collects hostname and OS username. Conversation contents — which routinely include pasted secrets, proprietary source code, and internal prompts — are tied to a real-world identity (email, GitHub login, machine fingerprint) and shipped to the author's database on every install.