Malicious code in @giftyhq/widget-components (npm)

__

Source: amazon-inspector (8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62)

package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host fingerprinting data — os.hostname(), os.userInfo(), process.platform, uid/gid, shell, cwd, and the output of child_process.exec('whoami') and exec('id') — and POSTs the result as JSON to the hardcoded URL https://zad79wtflht20n15czfieir3quwlkb80.oastify.com/detox56. The destination is a Burp Collaborator (oastify.com) out-of-band subdomain used as attacker-controlled exfiltration infrastructure. The package ships no legitimate component code; metadata is empty (no author, no description) and the package's only effect is the install-time recon beacon. Name and scope are consistent with a dependency-confusion / namespace-squat lure.