MAL-2026-5832

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (89ed34c4d09a0f8bb373f141d18157203eb73efec9461434a7957dfe17ba72f1) package.json declares `preinstall: node index.js`, causing index.js to run automatically on `npm install`. The script collects installer host identity (os.hostname(), os.userInfo() including uid/gid/shell/homedir, process.cwd(), process.platform/arch, OS release, memory, cpus) and executes `whoami` and `id` via child_process to capture their output, then POSTs the combined JSON payload to a hardcoded Burp Collaborator subdomain at https://6cjy9tle5weq8pr6m8r5znzd349vxmlb.oastify.com/detox56 (index.js:7,:83). The package has empty author/description metadata and a dependency-confusion-style name. An undeclared 10.8 KB sibling file `i` ships in the tarball but is not reached by the preinstall path. Installing this package leaks installer host identity and shell-recon output to an attacker-controlled endpoint.