MAL-2026-6348

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a0192c1f2bf35c50a401e2df63f505564880339f5329c0ffcfdb8748cd6d48e3) The package declares a postinstall hook (`"postinstall": "node run.js"`) that executes run.js automatically on `npm install`. run.js imports `os`, `fs`, `http`, `https`, and `child_process`, and collects host and user identity signals including `os.hostname()`, `os.userInfo()`, `os.platform()`, `process.env.USER`, and `process.cwd()`, alongside filesystem reads (`fs.existsSync`, `fs.readFileSync`). Collected data is base64-encoded (`Buffer.from(...).toString('base64')`) and POSTed out via http/https calls (multiple POST sites at run.js lines 131, 339, 346). The composition — automatic lifecycle trigger, system/user reconnaissance, base64 packaging, and outbound POSTs — is the canonical install-time exfiltration shape and produces direct attacker benefit (host fingerprinting and credential-adjacent data leaving the installer's machine).