MAL-2026-6394

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1161606183ced9cba1c4822de7f6a3515230f04ccfadd33ea2937c667cfaf1d2) Package impersonates an internal HubSpot `hs-`-scoped package using a high version (`99.99.99-poc2`) to win dependency-confusion resolution. On `npm install`, preinstall.js opens an HTTP POST to webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7 carrying the installer's hostname, current working directory, pid, OS user, platform, and a list of environment variable key names; postinstall.js sends a second beacon to the same endpoint with hostname, cwd, pid, platform, and Node version after install completes. The endpoint is an attacker-controlled webhook collector, and the package's own comments describe the behavior as a stand-in for harvesting CI/CD secrets (AWS keys, npm tokens) and source code. Both lifecycle hooks fire automatically with no user interaction.