MAL-2026-6392

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf) On `npm install`, this package automatically runs postinstall.js, which executes `curl -X POST` with a body containing the installer's hostname (`$(hostname)`), current user (`$(whoami)`), and the first 10 environment variables base64-encoded (`$(env | head -10 | base64 -w 0)`), sending them over plain HTTP to http://r1x55270.requestrepo.com — a requestrepo.com subdomain used as an attacker data-collection endpoint. Environment variables on developer and CI machines routinely contain credentials, API tokens, and CI secrets, so this is a credential-theft payload. The package's `main` is a trivial one-line `formatDate` stub and its description is 'A harmless utility package' — a cover story unrelated to the lifecycle behavior.