MAL-2026-5987

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1df5f4bdd6e2f58ff581cbad0d01738b5f6464794ace1a9fa95eea061a5bb7d5) package.json declares a preinstall lifecycle script that runs automatically during `npm install`. The script executes `hostname`, `whoami`, and `pwd`, then uses curl to POST the combined output (current user, host name, and install directory) as a urlencoded `info` field to https://webhook.site/1ea0386f-dcc0-4f1b-bdbb-61732d6535fb/ogd-analytics. webhook.site is an anonymous request-bin service, not a publisher-controlled domain, and the beacon has no relation to any advertised analytics functionality. The behavior is unconditional installer-side reconnaissance — user identity, machine identity, and filesystem location are exfiltrated to a third-party collector on every install, providing an attacker the host inventory needed for follow-on targeting (dependency confusion, internal-build-system fingerprinting).