MAL-2026-6458

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a44aa2030ed09d6ec3998c59953a44e013c1993d93a90ee031b0999480afb03c) Package is published at version 9999.99.99 with a description referencing an 'npm 404 error referenced in Extra-Chill/homeboy-extensions' — the textbook dependency-confusion shape, where an unclaimed internal package name is registered publicly at a maximal version so private builds silently resolve to this public package. On install, postinstall.js reads npm package metadata, Node/OS info, and CI environment indicators including GITHUB_REPOSITORY, GITHUB_REPOSITORY_OWNER, and GITHUB_WORKFLOW, then POSTs them to https://ddactic-lab.online/sc/beacon. A DNS-lookup fallback encodes the package slug, CI provider, and a hash into a subdomain label under b.ddactic-lab.online, with an in-source comment stating the channel exists to fire 'even through HTTP-blocking corporate proxies' — explicit intent to evade installer egress controls. The combined effect: any private CI build that mistakenly resolves this name leaks the victim organization's private repository, owner, and workflow identifiers to an attacker-controlled host, with a covert DNS fallback for environments that block HTTP.