MAL-2026-6127

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (887866a4734ebf64a639f9d2512cd400085469ec7fa06aba5f1bbe340b2688b8) On require('@onum-releases/utils'), index.js reads os.hostname() and issues an HTTP GET to 'utils.<hostname>.200majoeu01dk02xnjdajro1isojc90y.oastify.com', leaking the installer's hostname via DNS and HTTP to an out-of-band collaborator endpoint controlled by the package publisher. The beacon fires unconditionally on module load, so any consumer that imports the package exposes its host identifier to the attacker-controlled collaborator. The package.json description claims 'Security PoC placeholder - benign, no runtime payload', directly contradicting the shipped code. The scope '@onum-releases' impersonates the Onum vendor namespace, consistent with a dependency-confusion lure aimed at that organization's developers.