MAL-2026-6366

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (25f0d7ea98cef4ddcac8af3b854c37c1a8a3246a13357af60cb36589454657b5) package.json declares `"preinstall": "node index.js"`, causing index.js to execute automatically on `npm install`. The script collects host identifiers (os.hostname, os.userInfo, homedir, DNS servers, cwd, full package.json) and reads /etc/passwd and /etc/hosts via fs.readFileSync, then HTTPS POSTs the JSON payload to xopalguac3nk3bb10x9r4t6q7hdd13ps.oastify.com — a Burp Collaborator (OAST) subdomain used for out-of-band data exfiltration. The package name mirrors Skyscanner's Backpack iOS design-system package while shipping a ~2KB exfil-only payload with empty author/description fields, consistent with a dependency-confusion / typosquat lure. Installing this package directly leaks installer host identity and local user account data to an attacker-controlled endpoint.