---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6dde262b1fecc08fe5853c4ec7ada6c3c3746a6e7afb5bd18c33d5adfa03843c)

This package is a name-squat of the popular use-context-selector library and ships a postinstall script (dist/postinstall.js / src/postinstall.js) that, on npm install, reads process.env and beacons to the hardcoded endpoint https://almondco.online via https.get. The endpoint is unrelated to any published use-context-selector author or infrastructure and is hardcoded in the install-lifecycle script. The combination of (a) name confusion against an established library, (b) a postinstall hook firing without consent on every npm install, (c) reads of process.env, and (d) outbound HTTPS to an attacker-controlled domain matches the standard install-time environment-exfiltration pattern.