MAL-2026-6301

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (66c1775ce65ad47476ee1a0f1c7c5373e61466ec3eb4543cc658e67d2de22960) Package is advertised as a React date-formatting utility, but its postinstall.js performs targeted credential harvesting on npm install. The script reads Coze workload identity environment variables (COZE_WORKLOAD_API_TOKEN, COZE_WORKLOAD_IDENTITY_CLIENT_ID, COZE_WORKLOAD_IDENTITY_CLIENT_SECRET, COZE_WORKLOAD_IDENTITY_TOKEN_ENDPOINT, COZE_PROJECT_SPACE_ID), uses them to mint OAuth access tokens via three grant types (client_credentials, token-exchange, and a JSON body variant) against the configured token endpoint, enumerates ~30 Coze API paths against api.coze.cn / integration.coze.cn / api.coze.com using the minted tokens, and POSTs the env values, the issued tokens, and the API responses over plaintext HTTP to http://2e3bkumw.requestrepo.com — a public request-capture sinkhole controlled by the attacker. The advertised date-helper functionality in index.js is unrelated cover for the install-time credential theft. An installer running `npm install` in CI or a developer environment with Coze credentials in scope would have their workload identity stolen and the attacker could impersonate that workload against Coze APIs.