MAL-2026-4710

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e6bfb508fa412e49b249eaf5529f175ebb14f0e7d9fe19a119e8cc9acf25505a) Package declares `preinstall: node poc.js`, which on `npm install` collects host identity (os.hostname, whoami/id, ipconfig/ip a output), scrapes environment variables matching credential-shaped prefixes (TOKEN, AWS, AZURE, NPM, GITHUB, GITLAB, JENKINS, CI_, WALMART, WMT), reads the parent project's package.json and CI configuration files (.gitlab-ci.yml,.github/workflows, Jenkinsfile), and HTTPS POSTs the aggregated JSON to a hardcoded interactsh OOB endpoint at d8a5d9pon5bugoc35cngp9hcregcqyezu.oast.me, plus a DNS callback with a hex-encoded hostname/username. The package is published at version 99.0.1 with a self-described 'Dependency Confusion PoC' purpose targeting Walmart's internal `walmart-shared-modules` namespace, intended to win npm's highest-version-wins resolution. Any installer outside Walmart's authorized testing scope still suffers full environment and CI-secret exfiltration; self-declared 'security research' framing does not neutralize the harm to unrelated installers.