MAL-2026-4729

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ae14bab8e5a11636f7a395fccf88119f5294c3639c8f71b6b2e3f199282bb584) On `npm install`, scripts/postinstall.js fetches a `companion-<platform>-<arch>` binary from `github.com/palmthree-studio/whiteboard-agent/releases/download/nightly/...` — a mutable release tag (not pinned to package version 1.4.24) with no SHA/signature verification — chmods it 0755, and in non-TTY installs (CI, agent, scripted environments) spawns it detached. The same non-TTY path generates an `admin` account with a random 16-hex password, starts the companion HTTP server on 127.0.0.1:3001 with `COMPANION_LOCALHOST_BYPASS=1`, then spawns `cloudflared tunnel --url http://localhost:3001`, publishing the local server to a public `*.trycloudflare.com` URL. The combination is install-time-triggered remote ingress: anyone who learns or guesses the tunnel URL can reach the companion API on the installer's host without authentication beyond the random credential, which is itself generated and stored locally without user notification. README documents `wendy start` performing tunnel exposure interactively, but does not warn that `npm install` itself does this silently in non-interactive environments — the typical CI / build-agent / container scenario. Independently, the `nightly` mutable-tag binary fetch means every install (and reinstall/update) pulls whatever bytes are at that tag at that moment; a stolen publish credential or a future malicious push compromises every installation without any version bump.