MAL-2026-5782

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (10adc862166a2dbaf26f3dc56b4c1dfa0fd45e625f713380564d0b18fb07088d) On `npm install`, the preinstall lifecycle script in postinstall.js enumerates process.env, filters keys matching a broad credential regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), and bundles them with hostname, username, cwd, and npm registry/prefix metadata. The collected payload is POSTed over the network to a hardcoded bare IP at 185.130.46.35:8443 — no domain, no TLS verification context, no documented purpose. The package itself is a hollow shell: index.js is `module.exports = {}`, the description is 'Internal package', and the version is 999.0.0 — the canonical dependency-confusion shape designed to win resolution against a private-registry package of the same name and trigger the credential harvester on corporate build machines. A source comment confirms intent ('Exfil CI environment variables on install').