MAL-2026-6550

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6213acbcf6c562c8a7690e6018490d502d8df9377a2ed85c5bca9d828ed261c8) Package claims the @k18n npm scope (used internally by Kuaishou) and publishes at version 99.0.0 — the canonical high-version dependency-confusion shape that causes internal builds resolving @k18n from public npm to pull this artifact. A preinstall script in index.js collects host identifiers (os.hostname(), os.userInfo().username, install directory, cwd, package version) and transmits them to c.adityasec.com over two channels: an HTTPS POST to https://c.adityasec.com/LdCdrTByhmflbwt5qFNisg and a DNS lookup of a hex-encoded subdomain under c.adityasec.com (DNS exfil fallback for hosts where outbound HTTPS is restricted). The lifecycle hook fires automatically on `npm install` with no consent. The package's own description self-labels this as a 'dependency confusion proof of concept,' but the cover-story label does not change the installer-side harm: any build host that resolves @k18n from the public registry leaks internal hostnames, usernames, and build paths to a third-party operator.