MAL-2026-6355

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8040bc58597dee52581beb232688c85302554af0af5726abc15c56a21ac69f2c) On `npm install`, package.json's `preinstall` hook runs index.js, which collects host identifiers (os.hostname(), os.userInfo(), homedir, DNS servers, __dirname, the package's own package.json) and reads the contents of /etc/passwd and /etc/hosts, then HTTPS-POSTs the resulting JSON to a Burp Collaborator subdomain at 3z3l99x7vp8us6lzqm575hfh58bzzqnf.oastify.com. The package has no documented purpose and no library functionality — its only effect on installers is the exfiltration beacon. Any developer or CI system that runs `npm install ppt-creator` leaks user-account enumeration data and host fingerprints to the attacker-controlled collaborator endpoint.