MAL-2026-5785

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a8252216c6621e6391775d34f5e32815ab8c2a830df080fed52113b4cf855aa1) On `npm install`, the package's preinstall lifecycle invokes postinstall.js, which collects hostname, username, and current working directory, then iterates process.env and filters keys against the regex /key|secret|token|pass|private|ssh|deploy|auth|api|rpc|wallet|sentry|docker|graph|slack|host/i. The matching key/value pairs (CI tokens, cloud credentials, SSH/deploy keys, RPC and wallet secrets, etc.) are JSON-serialized and POSTed over HTTPS to a hardcoded bare IP, 185.130.46.35:8443/collect. The package name 've-hemi-rewards' at version 999.0.0 with description 'Internal package' is a classic dependency-confusion shape — a high-version stub published to the public registry to override resolution of an organization's private package of the same name. There is no legitimate functionality; the package exists to harvest installer secrets.