MAL-2026-919

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4b33015300fa18b6b3d2c2f1c0af0e77cbd9fa96c7af7befbe61a5422165824e) package.json declares `preinstall: node index.js`, which runs automatically on every `npm install`. index.js collects os.homedir(), os.hostname(), os.userInfo().username, dns.getServers(), the package name, __dirname, and the full package.json contents, then HTTPS POSTs them as a querystring `msg=...` parameter to `2mpf1804g4gnfnvuqqx3om0cw32vqlea.oastify.com` — a Burp Collaborator (oastify.com) subdomain used as an out-of-band recon/exfiltration channel. The package provides no legitimate functionality; its only on-install effect is to leak installer host identity and project metadata to an attacker-controlled endpoint. This is the canonical dependency-confusion / red-team recon beacon shape.

## Source: ossf-package-analysis (d35cd4fc7e553141b386ee1a6a68e45c41d5ae73d8e013beafd90f6dfc4b1afd) The OpenSSF Package Analysis project identified 'mds-webcomponents' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.