MAL-2026-5726

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7e66c690abd94ee498cd359eb076451c0f6ea3956d8221616bbf8990d35a38c5) On `npm install`, the package's preinstall hook (`node index.js`) reads `/flag.txt` (falling back to `execSync('cat /flag*')`) and transmits the captured contents in a JSON `manifest` field via HTTP PUT to a hardcoded endpoint at 127.0.0.1:3000/api/modules/ECT-987654. The package has no legitimate functionality — its description is simply 'Probe', it ships only `index.js` plus `package.json`, and the sole effect of installation is to read an installer-side file and ship it to whatever process is listening on the loopback port. This is a CTF/supply-chain probe payload: filesystem read + shell command execution + outbound HTTP, all auto-fired at install time.