---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6e9e3e4e8e9e12bac20967fa551c549a93915b33007d7e54f8bfe0eed26a216e)

On npm install, the package's postinstall script (postinstall.js, run via scripts.postinstall = 'node postinstall.js') collects host identity — whoami, id, os.hostname(), os.platform(), current working directory, and the env vars CI, GITHUB_REPOSITORY, NODE_ENV — and sends them to the hardcoded attacker-controlled host svr57aylqme3zald4p0psi1hw827q1eq.oastify.com (a Burp Collaborator / OAST canary domain) via both https.get and DNS lookup. The package name shop-minis and self-described 'Security research canary — shopify' impersonate Shopify's Shop Minis platform, so any developer expecting that namespace would unwittingly leak host recon to the canary operator's collaborator instance. The package ships no real functionality matching its name; the only effect of installation is the exfiltration beacon.