MAL-2026-6373

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a3a57b06daad43c269fe3846083da2fdce277fd1ff3a9399533072f6e894afc2) Package impersonates the Twilio Voice JS SDK namespace and ships a single exfiltration payload. package.json declares "preinstall": "node index.js", causing index.js to run automatically on npm install with no user interaction. index.js requires os/fs/https, collects os.hostname(), os.userInfo(), the user's home directory, DNS server configuration, and reads /etc/passwd and /etc/hosts, then POSTs the collected data over HTTPS to kocxl3uxcqn73ybo0k9e4g6d74d41upj.oastify.com — a Burp Collaborator out-of-band probe subdomain controlled by the attacker. The package contains no real reference components, has empty author/description metadata, and the name closely mimics the legitimate Twilio Voice JS package — a typosquat / dependency-confusion lure aimed at Twilio-related build systems.