MAL-2026-6126

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c110ed26ad413cb298fa3f2ce6d435eda5521dfc4113ea5520478030ce063e74) On require()/import, index.js reads os.hostname() and issues an HTTP GET to 'shared-components.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com/shared-components', leaking the installer's hostname out-of-band to an attacker-controlled Burp Collaborator subdomain. The package.json describes the package as a 'Security PoC placeholder - benign, no runtime payload' but the shipped index.js contradicts that claim and actively beacons on every load. The @onum-releases scope combined with the generic 'shared-components' name is consistent with a dependency-confusion squat against an internal Onum private package; any build that resolves this public version executes the beacon and discloses the host identifier to a third party. Self-described 'PoC' framing does not neutralize the harm — the code performs real installer-side data exfiltration.