MAL-2026-6356

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (523c83ae906ad871cb1ea3ffef4c0ae4e2d9f717376b86e97f6575e47cbc640d) package.json declares a postinstall hook ("postinstall": "node run.js") that executes run.js automatically on `npm install`. run.js imports os, fs, http, https, and child_process and gathers host identity and environment data: os.hostname(), os.userInfo(), os.platform(), process.env.USER, process.cwd(), plus filesystem reads via fs.readFileSync / fs.existsSync. The collected data is base64-encoded (Buffer.from(...).toString('base64')) and POSTed out via HTTP/HTTPS at multiple call sites in the same script. The package name has no documented purpose that would justify install-time host reconnaissance, base64 wrapping, or outbound POSTs. Combined fingerprints (lifecycle-hook auto-execute + host-identity collection + base64 encoding + outbound HTTP POST) match a credential / system-intel exfiltration dropper.