MAL-2026-6337

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (32f2430d6e0da9484283d0012a16df0c593ccb5fa2a56ea727bd19ba435f964f) preinstall.js executes a chain of eval(Buffer.from('<base64>','base64').toString()) payloads at npm install time. The decoded payloads collect host identity (os.hostname, os.userInfo, cwd, network interfaces), the full process.env (chunked over DNS if larger than 5KB), the contents of./.npmrc and ~/.npmrc, AWS EC2 instance-identity metadata fetched from IMDSv2 at 169.254.169.254 (account ID, region), and recursive reads of *.env / *.config / *.yaml / *.toml files in the working directory. All collected data is transmitted via https.get and dns.resolve to d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun (a project-discovery Interactsh out-of-band collaborator). postinstall.js additionally performs a DNS callback `postinstall-<rand>.d8rqs6ri6i9md1fcfdpgirhdcr17idqdh.oast.fun` to confirm both lifecycle phases ran. The base64+eval wrapping has no functional purpose other than evading static review. Installer impact: any developer or CI runner that performs `npm install` on this package leaks npm publish tokens (from.npmrc), full environment variables (commonly containing API keys, cloud credentials, and CI secrets), and AWS account/region identifiers to the attacker.