MAL-2026-6481

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (04e5ac6b8b24f2c158c37d3d6ac268bbf7f472433660064491538ee468cfcfcb) Package published at version 99.99.99 under the gx-npm-* namespace, a shape designed to win npm version resolution against private internal packages of the same name. package.json declares postinstall=`node beacon.js`, which runs unconditionally on `npm install`. beacon.js collects the installer's hostname, OS username, current working directory, package name, Node version, and the first 80 environment variable names, then exfiltrates them two ways to the hardcoded out-of-band host `d8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me`: (1) a DNS lookup encoding the collected identifiers as subdomain labels, and (2) an HTTPS GET with a base64-encoded JSON payload in the query string. Any CI/build system or developer machine that resolves this package against the public npm registry leaks host identity and environment-variable names to an attacker-controlled interactsh/OAST endpoint on every install.