MAL-2026-6552

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0eb7024d158c345559d9f130ba3a6b52563328467ec6bb560e196e5c7bc9b955) package.json declares a postinstall lifecycle hook that runs a shell command writing a marker file to /tmp on `npm install` (`"postinstall": "echo PWNED_BY_DEEPLINK > /tmp/..."`). The package ships no library code, no plugin implementation, and the description field is literally "test" — there is no advertised functionality to justify the install-time shell execution. The package name `insomnia-plugin-poc-m4gester` further self-identifies as a proof-of-concept exploit targeting the Insomnia REST client plugin namespace. Installing this package results in attacker-chosen shell execution on the installer's machine; the current payload is benign (a marker file write) but the mechanism is arbitrary code execution at install time and could trivially be swapped for a destructive or exfiltrating command in a future version.