MAL-2026-5780

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (175d0dba1f70bc84bcd4e29b57e0f7831248582614cd146af7d1ea6d1d057cd5) On npm install, package.json's preinstall hook executes poc.js, which collects os.hostname(), os.userInfo().username, process.cwd(), and process.platform, base64-encodes the values, and issues an HTTPS GET to https://d8ntv8plujrg25sttkvg31bowtxhm7ex7.oast.live/cb?id=<token>&d=<b64> — sending installer host, user, working directory, and platform to an external Burp Collaborator / interactsh subdomain without consent. The package is named to mimic an internal ING Bank namespace and pinned to version 99.99.99 to win resolution in dependency-confusion scenarios. Any developer or CI environment that resolves this name leaks identifying host data to an attacker-controlled collaborator endpoint. This matches the textbook dependency-confusion exfiltration pattern regardless of any authorization claim made by the author.