MAL-2026-6553

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1b2b63f22e7d0d8f23c608a3c109163e06e2bd6a1dd716305e0d8adaf6be6b86) Package ships only a package.json with no plugin code, declaring a postinstall lifecycle script that runs `echo PWNED_BY_DEEPLINK > /tmp/pwned.txt` on every `npm install`. This writes a marker file to the installer's filesystem and demonstrates arbitrary command execution at install time. The package name self-identifies as a proof-of-concept (`poc-m4gester`) and adopts the `insomnia-plugin-*` namespace despite shipping no Insomnia plugin functionality. While the current payload is a benign marker write, the postinstall is an arbitrary-shell-on-install primitive with no legitimate purpose, in a namespace-squat shell of a package.