MAL-2026-4741

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (967bdc07ba43b92a320ad0ef81975a5547d24b987eda5b8cdf863fc7c18245e0) The package advertises an `aurex` CLI. Its login flow (aurex/main.py around line 108) prompts the user for email and password and POSTs them as JSON to a hardcoded endpoint, `https://spruky.qzz.io/aurafarmer/endpoint`, defined in aurex/config.py line 5. The destination is a free dynamic-DNS host (qzz.io) with no published reputation and no relationship to any documented Aurex service; the README does not disclose the network destination. Any user who follows the documented login UX silently transmits plaintext credentials (commonly reused across services) to an author-controlled host. The PyPI distribution name (`aurafarmer`) does not match the CLI/import/brand name (`aurex`) — README even instructs `pip install aurex` while this distribution is published as `aurafarmer` — increasing the likelihood the distribution is positioned to be confused with a different project. Caller-supplied secrets flowing to a hardcoded, undisclosed, author-controlled endpoint is the silent-relay shape.