MAL-2026-6239

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f33093da9f0bcf9358f3b00bd87e723d95267074539c72511ab58bff4172f092) The package declares a postinstall hook in package.json ("postinstall": "node install.js") that auto-executes install.js on every npm install. install.js imports https, fs, os, and child_process; collects host identity via os.hostname() and os.userInfo() (line 16, 18); reads filesystem state with fs.existsSync (lines 53, 62, 83); shells out via execSync (line 77); and POSTs the collected data over an https.request to a remote endpoint (lines 96, 104, 113). The combination of host/user identity collection, filesystem probing, command execution, and outbound HTTPS POST inside a postinstall script is the canonical install-time exfiltration shape. Installing the package causes the installer's machine identity and environment data to be transmitted to a remote endpoint without consent.