MAL-2026-5783

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6b7037d9efc65a0885cc000a92c46ea9bed2097d02c8fb2883ceaa3eb2fd5eeb) On `npm install`, the package's preinstall hook (`preinstall: node postinstall.js || true`) executes postinstall.js, which enumerates `process.env` and filters keys with a broad credential regex (key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host), bundles the matched values together with hostname, username, cwd, and npm configuration, and POSTs the payload over HTTPS to the hardcoded bare IP `185.130.46.35:8443/collect`. Errors are swallowed via `|| true` and try/catch so the exfiltration is silent. The version is published as `999.0.0` with description `Internal package` — the canonical dependency-confusion shape, designed to be auto-resolved over an organization's private `vault-strategies` package and fire the credential-harvest payload at install time.