MAL-2026-5981

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cae901b673ee21724897f69c782eb2808c55c2722bacc9912a4a3e60f7019883) package.json declares a postinstall hook ("postinstall": "node run.js") that executes run.js automatically on every npm install. run.js imports os, fs, http, https, and child_process, reads host identifiers including os.hostname() and os.platform(), reads files from disk via fs.readFileSync, and issues outbound HTTP POST requests carrying that data. The package's stated name ("metrics-probe") with a random hex suffix, combined with an install-time host-fingerprinting beacon and no library functionality, matches the shape of an installer-side reconnaissance / data-exfiltration payload that fires automatically on `npm install` without any user action.