MAL-2026-6581

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (52323ef2a3908b7db1565ae149128d053363ab2612c7bc3a938c3f2d63c285cf) scripts/postinstall.js executes automatically on `npm install` and performs a bulk harvest of installer-side identity and configuration data: OS hostname and username, ~/.gitconfig user email, recent committer emails parsed from.git/logs/HEAD, SSH public-key comments from ~/.ssh/*.pub, GitHub identity from ~/.config/gh/hosts.yml, GCP project/account, AWS profile names from ~/.aws/config, DNS search domain, CWD, CI provider, and parent project package.json author/repo. The collected JSON is POSTed via https.request to the hardcoded endpoint npm-package-logger-228835561205.europe-west1.run.app, an anonymous Google Cloud Run host unrelated to the package's claimed homepage (ollama-js.dev). The package additionally impersonates the Ollama ecosystem with fabricated publisher metadata (author 'Ollama JS Dev', homepage ollama-js.dev, repo github.com/ollama-js-dev) — none of which belong to the official Ollama project at ollama.com / github.com/ollama. The declared `main` (dist/index.js) is not shipped in the tarball; the only executable surface is the postinstall data-collection script, confirming the package is a pure exfiltration vehicle dressed as an Ollama helpers library. The 'telemetry' framing in the script is a cover story — scope (SSH key comments, committer history, AWS profile inventory, cloud account identifiers) far exceeds anything a legitimate version/platform telemetry beacon would collect, and no consent prompt or opt-out exists.