MAL-2026-6700

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d3b789fbaaf21d9554aa580105d73d992d4a82963e1ade3c6dca6290f5cd7a3e) package.json declares preinstall, install, and postinstall hooks that all invoke install.js, so the payload runs unconditionally on `npm install`. install.js reads installer-side secrets and host data — /app/.env, /root/.npmrc, /home/node/.npmrc, /etc/npmrc, /app/.git/config, package.json, /proc/self/environ, and the full process.env (JSON-stringified, sliced to 15000 chars) — runs shell reconnaissance (id, hostname, whoami, ls, ps, find/grep for flag files), base64-encodes the bundle, and POSTs/PUTs it via http.request to the hardcoded endpoint http://154.57.164.76:30728/api/modules/ECT-839201. The tarball additionally ships publish-and-arm.sh and arm-aliases.sh, which document and automate publishing the package under aliases (curse-dependent, spectral-corsair, @spectral-corsair/cursed-modules) using `npm:module-index-cache@1.0.2` redirection — explicitly labeled `dependency-confusion` and `armed-alias-public-npm` — to weaponize name confusion against private-registry consumers. A CTF/cover-story framing in comments does not change the installer impact: any machine that installs this package leaks its environment variables, npm auth tokens, dotenv contents, git configuration, and selected source/filesystem data to an attacker-controlled host.