MAL-2026-6554

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3af3f61639cfac47d91b75ec177ce18a07c29535b0f39806a286093e739494c8) Package ships no functional code and exists solely to execute a shell command on `npm install`. The `postinstall` lifecycle hook runs `echo PWNED_BY_DEEPLINK > /tmp/pwned.txt`, dropping a marker file at `/tmp/pwned.txt` on the installer's machine. The self-identifying marker string (`PWNED_BY_DEEPLINK`) confirms the package's only purpose is to demonstrate arbitrary install-time code execution against installers. The package name mimics the Insomnia (Kong) HTTP-client ecosystem naming convention while the publishing handle is unrelated, consistent with a lure/PoC namespace-abuse shape. Although the present payload is a benign marker write, the install-time arbitrary-command-execution primitive is fully wired and would execute any command the maintainer publishes in a future version.