MAL-2026-5804

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (faf2e80d03da797a24237629d2c2bc87fa936f996c4de55bcd938283b1a617b9) flow-lending-sdk@9.9.9 declares `preinstall: node index.js || true` in package.json, causing index.js to execute automatically on `npm install`. The script collects host identity (hostname, username, cwd) and iterates `process.env`, filtering for keys matching /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i — i.e., wallet seed phrases, private keys, API tokens, and infrastructure credentials. The collected JSON is HTTPS-POSTed to the bare IP `2.25.140.71:8443` at path `/surflending/npm-confusion`. The package ships no real SDK functionality (description is the placeholder `flow-lending-sdk SDK`, version is `9.9.9`), and the exfil URL path explicitly names this as a dependency-confusion attack — almost certainly targeting developers of Cardano/Flow lending infrastructure who expect a private internal package of this name.