MAL-2026-5859

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a9dd5cda5d5a0925c139a36f0ea4c69b96052ff203d7dc365ac119408ba76069) package.json registers both `preinstall` and `postinstall` lifecycle hooks that run `node callback.js`, which executes automatically on `npm install`. callback.js collects installer-side identity and environment data — username, uid/gid, homedir, hostname, platform, cwd, local network interfaces, external IP via api.ipify.org, Node version, and CI/secret-presence flags (AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN, DOCKER_PASSWORD) — and POSTs the result to a hardcoded Discord webhook (`https://discord.com/api/webhooks/1516163806559076442/...`). A DNS-based exfiltration fallback is also implemented. The package self-identifies as a dependency-confusion PoC and is published at version 999.0.0 to outrank private-registry packages of the same name; any build pipeline that resolves `setka-editor` from the public npm registry will execute the callback and leak the listed data. Regardless of stated research intent, the install-time exfiltration of installer host data and CI secret-presence flags to an attacker-controlled Discord endpoint is a real supply-chain attack against any pipeline that resolves this name.