MAL-2026-6291

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7241a2e167db383267fa82ce9660a44f7bcca4b6d4f11bb7ca85eaa6b432a47e) package.json declares a postinstall script that runs automatically on `npm install` and performs `require('https').get(...)` to a Burp Collaborator subdomain (`7rzjsf29azci2qjsm6kxt23ag1mtanyc.oastify.com`), passing `os.hostname()` and `os.userInfo().username` as query parameters. Any developer or build system installing this package leaks host identity to an external attacker-controlled OAST endpoint. The package's own description (`PENTEST-PoC: Dependency confusion - SecurifyAI engagement 2026-06-23`) and the version `9.9.9` published under the `@outmarket` scope indicate the package is designed to win resolution against an internal private package of the same name and harvest beacons from anyone in the targeted organization who installs it.