MAL-2026-6572

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4d1744d2a299b9ef0526f49b4b2297fcd6c72581c51a3359801db56318d8cfda) The package declares a `preinstall` hook that runs `node callback.js`. On `npm install`, `callback.js` collects installer-side identifiers — `os.hostname()`, `os.userInfo().username`, `process.cwd()`, the configured npm registry, and CI repo-identifying environment variables (e.g. GITHUB_REPOSITORY) — and issues an HTTP GET to `http://75.119.137.232:31337/depconfuse?pkg=...` carrying those values as query parameters. The version number `9999.0.0` and the `/depconfuse` path are consistent with a dependency-confusion reconnaissance beacon designed to identify organizations that internally use a package named `rebrandly-domains-digger`, so the attacker can target follow-on confusion attacks against their private/internal package namespace. The destination is a hardcoded bare IPv4 on a non-standard port over plain HTTP, with no relation to any legitimate publisher infrastructure.