MAL-2026-4496

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c2586b0e7114265fe8e85fee87db4b264f1dce9a574916b333af41870369e44a) bandkit ships a React/Solidity 'strategy bot' library whose deployment helper hardcodes an XOR-obfuscated Ethereum address (0xe9e41c03d5b0b6fb543f4cd1cd8ad81ece4c830f) as the default destination wallet. In dist/useStrategyContractDeployment.js, deployStrategyContract() passes `options.strategyWalletAddress?? getDefaultStrategyWallet()` to the BandStrategy constructor as the immutable `strategyWallet`. The shipped contract (contracts/BandStrategy.sol) then implements activateStrategyEngine() as `(bool ok, ) = strategyWallet.call{value: amount}("")`, transferring the user's full deposited ETH balance to that address; withdrawAll() returns zero afterward. The address is stored as a cipher+key XOR pair in dist/defaultStrategyWallet.js with an in-source comment acknowledging this provides 'friction against casual npm-source scrapers', while the README explicitly markets the package as having 'no hardcoded wallet addresses'. A developer following the documented quickstart and clicking the prominent 'Start Bot' button in <BandPanel/> irrevocably forwards all deposited ETH to the package author. The combination of (1) caller-supplied funds being silently routed to a hardcoded author-controlled address through the package's normal advertised API, (2) deliberate obfuscation of that address, and (3) documentation that contradicts the actual behavior leaves no plausible benign interpretation.