---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (82da0f0bb40f42e69defbea694db093f2ad880c8c094508f61e2d7fe58550e2e)

package.json declares a postinstall hook ("postinstall": "node install.js") which executes install.js automatically on npm install. install.js imports fs and https, enumerates the filesystem via fs.readdirSync(...) and reads file contents with fs.readFileSync(...), then performs outbound network calls via https.get(...). This combination — directory enumeration, file read, and unconditional outbound HTTPS in an install lifecycle script — is the canonical filesystem-to-network exfiltration shape and produces a direct attacker benefit: any developer or CI machine running npm install vestibulect has local file contents transmitted off-host to whatever destination the script chooses. The package has no advertised purpose that would justify reading local files at install time.