MAL-2026-6263

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4de00613e21b42bf3c651995beae63ff9d85772b9370145152d172a062be4fb7) package.json declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js requires os, dns, https, querystring, and the local package.json, then collects installer host identifiers — homedir (os.homedir()), hostname (os.hostname()), username (os.userInfo().username), configured DNS servers (dns.getServers()), current working directory (__dirname), and the full package.json contents — and POSTs them via HTTPS to `6pwzxcku93yjz1m1mp1ctzofj6pxdn1c.oastify.com/dependency-confusion`, a Burp Collaborator (OAST) subdomain controlled by the publisher. The version number 999.0.0 combined with a generic, unscoped name is the standard dependency-confusion shape: the package is published to the public registry to win resolution against an internal/private package of the same name in a victim's build, at which point the preinstall hook beacons home with environment fingerprints suitable for follow-up targeting. Any developer or CI system that resolves this package suffers immediate exfiltration of host identity to an attacker-controlled endpoint at install time.