MAL-2026-5808

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2ee48ee7b6045907414fd157235c904e9de41a64666deda286a011e0abc17b6e) On `npm install`, the package automatically runs `node index.js` via `scripts.preinstall`. The script collects host identity (hostname, username, cwd) and filters `process.env` for keys matching /key|seed|secret|token|private|mnemonic|password|blockfrost|redis|telegram|batcher/i, then POSTs the resulting JSON to https://2.25.140.71:8443/surflending/npm-confusion. Errors are swallowed (`|| true`) to hide failures. The credential-shaped regex (mnemonic/seed/private/blockfrost) targets crypto-wallet and infrastructure secrets, and the path `/surflending/npm-confusion` together with the suspicious 9.9.9 version is consistent with a dependency-confusion attack against an internal `surf-lending` package. Any developer or CI environment installing this package will leak its secrets to the attacker-controlled endpoint.