MAL-2026-6264

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c9291507e6e48bff8b92fcd9dd1f51345077f59aae2692f3d7ca84a8c0581b04) search-from-feed@999.0.0 is a dependency-confusion attack package. package.json declares both `preinstall` and `postinstall` as `node callback.js`, so the payload fires automatically on every `npm install`. callback.js (lines 12-15 require https/http/os/child_process) collects the installer's username, uid/gid, homedir, hostname, cwd, local IP and external IP (queried from https://api.ipify.org), along with CI environment variables (GITHUB_TOKEN/GITHUB_REPOSITORY/GITHUB_ACTOR, GITLAB_*, JENKINS, BUILD_NUMBER, etc.), and POSTs the collected data to a hardcoded Discord webhook (`https://discord.com/api/webhooks/1516163806559076442/...`). It additionally probes for AWS_ACCESS_KEY_ID, GITHUB_TOKEN, NPM_TOKEN and DOCKER_PASSWORD and reports the presence of these secrets to the same webhook, flagging which CI runners are worth pivoting into. The 999.0.0 version is the canonical dependency-confusion shape, designed to outrank an organization's internal package of the same name during public-registry resolution. The package's own source comments self-describe it as a 'Dependency Confusion PoC,' but the install-time beacon to an attacker-controlled webhook with CI-secret enumeration is an active supply-chain attack regardless of framing.