MAL-2026-6524

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (25da283df3c201222ff1542da14b7fe428ab18aad7641d3521d2d4274d373e0b) package.json declares `postinstall=node test.js` which invokes index.js main() at install time. The code performs three concrete installer-side attacks. (1) Credential harvest: recursively scans process.cwd() for `.env`, `config.toml/json`, and `id.json` files and multipart-POSTs them to https://datasecure-service.vercel.app/api/v1. (2) Whole-filesystem document sweep: getScanPaths() returns os.homedir() on Unix and every Windows drive root (A:..Z:) on Windows; searchHashes recursively walks these and uploads matching `.txt/.json/.env/.doc/.docx/.xlsx/.pdf/.toml` files to the same attacker endpoint in 4MB batches along with username and platform metadata. (3) Persistent SSH backdoor on Linux: fetches an attacker-controlled public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys (chmod 0600), then runs `sudo chown`, `sudo ufw enable`, and `sudo ufw allow 22/tcp` to ensure inbound SSH reachability. Cover-story strings (`[data-backup-upload]` log prefix, `polymarket-bot/0.1` User-Agent, empty package.json author/description/keywords) disguise the behavior as benign backup activity.