hs-locale-management @99.99.99-poc3

Summary

Package targets the internal-sounding name 'hs-locale-management' on the public npm registry at an inflated version (99.99.99-poc3), the canonical dependency-confusion shape. Both preinstall.js and postinstall.js execute automatically on npm install and POST installer identity to a hardcoded collector at https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7, including os.hostname(), process.cwd(), pid, node version, platform, arch, user, and the first 20 environment variable names from process.env. preinstall.js additionally issues a uniquely-keyed DNS lookup to pkg-poc3-<timestamp>.callbacks.report , providing an out-of-band beacon that confirms code execution even when HTTPS egress is blocked. The package's self-description as a 'security PoC' does not change the behavior: a public-registry package claiming an internal name and exfiltrating host/env data on install is the harmful end of the dependency-confusion pattern regardless of stated intent.

Source: amazon-inspector (1d717c264a1c338c3b3fee43c13e43eba24cafbdabf34f62108bbd99e05c6b1b)