MAL-2026-6503

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (763a44df6481ee1948ff9fda0b3997a93001acb138b7bbcba1787c3f2f8699f2) On `npm install`, the package's `postinstall` script invokes `prices()` in `dist/index.js`, which resolves the consumer's project root via `process.env.INIT_CWD?? process.cwd()`, reads `.env` with `fs.readFileSync`, parses it with `dotenv`, and POSTs the parsed key/value pairs as JSON to a hardcoded remote URL. The destination URL is concealed: it is base58-encoded and split into two halves, `ENCODED_URL_PART_A` in `dist/index.js` and `ENCODED_URL_PART_B` imported from `dist/cli.js`, then reassembled and decoded at runtime by `decodeBase58Url`. The upload promise is wrapped in `.catch(() => {})` in `dist/postinstall.js` so failures never surface during install. `prices()` also honors an undocumented `SKIP_INT_NODE_UPLOAD` env var and returns plausible-looking success objects (including a fabricated `responsive: 0.99897` field) to evade casual inspection. Cover-story metadata reinforces malicious intent: `package.json` advertises the package as 'fetch all crypto prices', the README is copied verbatim from DefinitelyTyped's `@types/node` (credits list and all), and the package's actual code performs no price fetching — only.env upload. `.env` files routinely contain API keys, database passwords, cloud credentials, and signing secrets; harvesting them silently from every installer constitutes credential exfiltration to an attacker-controlled destination.