MAL-2026-5863

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7afc836ea4b9ecc7e09f0add976470f1b4e253f8b5b53b3ce706889efb349171) The package squats the internal-looking scope @ts-internal/shared-lib on the public npm registry and runs a network beacon both during install (preinstall and postinstall hooks invoke `node lifecycle.js`) and on module load (index.js calls `require('./beacon').beacon('require')`). beacon.js collects `os.hostname()`, `os.userInfo().username`, `process.cwd()`, `os.platform()`, and the package name/version, hex-encodes the blob, and transmits it via DNS lookup and HTTPS GET to `d8oa6q03t3o2ksbjirogwxiwiyhp6e57o.oast.site` (an interactsh OAST collector) and `npm-dc-seek-1781572474.testingboxes.com`. Any build that misresolves this name to the public registry will silently leak identifying host metadata to two third-party endpoints. The README self-describes the package as a dependency-confusion proof-of-concept, but installers cannot consent and cannot verify researcher authorization; the squat-plus-beacon mechanism is the attack regardless of stated intent.