MAL-2026-5806

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b5e410fabd766facf41c970113c2a0a1b06b67b82521ffae20a32328cd74994e) On `npm install`, the package's preinstall hook executes `node index.js`, which collects the host's `os.hostname()`, `os.userInfo().username`, current working directory, and all environment variables whose names match a credential-shaped regex (`key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher`). The harvested data is POSTed as JSON to the bare IPv4 endpoint `https://2.25.140.71:8443/surflending/npm-confusion`. The package metadata is a stub (`description: "flowdefi SDK"`, no repository, no author, version pinned to `9.9.9` — a classic dependency-confusion high-version trick), and the exfil path is literally named `/surflending/npm-confusion`, indicating a dependency-confusion attack targeting an internal package named `flowdefi`, likely belonging to a Cardano/DeFi project (the regex specifically targets Cardano-ecosystem secrets such as `blockfrost`, `mnemonic`, `seed`, `batcher`). Installing this package on a developer or CI machine will leak wallet seed phrases, private keys, API tokens, and other secrets to the attacker.