MAL-2026-5779

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c41be27601d38eb5c0b527a9ec22b7516734e8eae985a2607ae6d70878f5f1d9) package.json declares a preinstall hook (`node postinstall.js`) that fires automatically on `npm install`. The script collects host identity (os.hostname(), os.userInfo().username, process.cwd()) and enumerates process.env, filtering keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i to harvest any credential-shaped variables (AWS keys, SSH/deploy tokens, RPC/wallet secrets, API tokens, etc.). The collected JSON payload is HTTPS POSTed to the hardcoded bare IP 185.130.46.35:8443 at path /collect. The package has no library functionality — `index.js` exports an empty object — and is published at version 999.0.0, the canonical dependency-confusion shape used to override an internal package name with a higher public version. The package's sole purpose is to harvest installer/CI secrets.