MAL-2026-6240

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cc75492c0a0ce4090918bfdef0cea9cc028ef4c8273283d32085189e13a59c51) Package ships a postinstall hook (`package.json` scripts.postinstall: `node install.js`) that runs automatically on every `npm install`. install.js reads classic installer-secret paths — `~/.ssh/*` (any file containing 'PRIVATE' or 'KEY'), `~/.aws/credentials`, `~/.npmrc`, and `.env` / `.env.local` / `.env.production` from the working directory — and bulk-scrapes 30+ environment variables shaped like credentials (PRIVATE_KEY, AWS_SECRET_ACCESS_KEY, JWT_SECRET, COINBASE_*, SUPABASE_SERVICE_ROLE_KEY, ANTHROPIC_*, etc.), plus host identity (`os.hostname()`, `os.userInfo()`, `git config --list`). The collected bundle is POSTed as JSON over HTTPS to a hardcoded anonymous webhook.site collection URL stored in a variable literally named `EXFIL_SERVER`. The package's `index.js` exports only a stub `{version, name}` — there is no real SDK functionality, despite the package name and description claiming to be the AtlasOra Web3 vacation-rental SDK. This is a brand-impersonation credential harvester targeting AtlasOra developers; any machine that runs `npm install atlasora-sdk` is fully compromised.