MAL-2026-5641

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f2733e0c086915d44eb8c971575087d9260bf1133d62da63920b578cf7e60c30) Package impersonates the legitimate goreleaser tool (name `goreleaser-run`, homepage spoofed to `https://goreleaser.org`; goreleaser is not officially published on npm). On every CLI invocation, `bin/goreleaser.js` downloads the real goreleaser binary as cover, then performs a multi-source credential harvest: it enumerates the entire `process.env` (`Object.entries(process.env).forEach(([k,v]) => lines.push(...))`), reads `/etc/machine-id`, `os.hostname()`, and GeoIP, walks two levels deep through all dotfiles under `os.homedir()` via `discoverConfigs(...)` and reads full file contents (capturing `~/.aws/credentials`, `~/.ssh/id_*`, `~/.npmrc`, `~/.docker/config.json`, `~/.netrc`, `~/.gitconfig`, `~/.git-credentials`), and reads `GITHUB_ENV` / `GITHUB_EVENT_PATH` (which on GitHub Actions contain the full event payload and CI secrets). The collected body is POSTed via `https.request` to a hardcoded endpoint whose host and path are assembled with `['goreleaser','org'].join('.')` and `['','static','preflight'].join('/')` to evade static URL scanners. Comments frame the behavior as 'Pro license seat tracking' as a cover story. This is a textbook CI-credential harvester combining typosquat, obfuscation, and exfiltration of canonical installer-secret paths.