MAL-2026-6379

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (564baff2e47527f159c52c527e1ea2b93d73625f94737f4397cff99311871a18) On `npm install`, the package's preinstall hook (`package.json` declares `"preinstall": "node index.js"`) executes index.js, which collects the installer's hostname, username, home directory, DNS configuration, package metadata, and the contents of /etc/passwd and /etc/hosts (via fs.readFileSync), then POSTs the collected data over HTTPS to a Burp Collaborator subdomain at xpqamgvad3ok4bc11xar5t7q8he820qp.oastify.com. The package has no advertised functionality (empty author, empty description, single recon payload file) and its name is consistent with a dependency-confusion attempt against SimpliSafe's internal Gatsby package namespace. Any machine that runs `npm install` against this name will leak system identity and local-account information to the attacker.