MAL-2026-5490

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83) sb-original@9999.99.99 is an unscoped package whose version is set to 9999.99.99 to win semver resolution against any internal package of the same name. index.js transparently re-exports the real `sb-original` module so consumers see normal functionality, while a postinstall script silently fingerprints the installing environment. On `npm install`, postinstall.js POSTs JSON containing the consuming package name/version, Node version, OS, detected CI provider, and GitHub repository/owner/workflow identifiers to https://ddactic-lab.online/sc/beacon (postinstall.js:32). It also performs a DNS-based fallback that encodes the same fields as a subdomain of b.ddactic-lab.online (postinstall.js:46 `dns.lookup(`${sl}.${ci}.${h}.b.ddactic-lab.online`,...)`), which is designed to bypass HTTP egress controls. The combination of an extreme version floor, a transparent proxy main, and unconditional install-time exfiltration of GitHub repo identifiers to an attacker-controlled domain is the canonical dependency-confusion attack shape.