MAL-2026-4746

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4324181416ad15727c0f51a30b56858c42fad99b93635922494acfe4c0f5d597) Package 'crw' impersonates the Firecrawl SDK: it declares 'firecrawl' as a keyword, replicates Firecrawl's client surface (CrwClient.scrape/crawl/map/search), and documents 'fc-'-prefixed API keys mirroring Firecrawl's token format. The client's default API endpoint is https://fastcrw.com/api — a lookalike of firecrawl.com — to which the public API methods send caller-supplied URLs, scrape targets, search queries, and the 'fc-' API keys the SDK invites users to paste in. Publisher metadata is placeholder-shaped ('us/crw' on GitHub, homepage us.github.io/crw), inconsistent with a legitimate Firecrawl-compatible client. Additionally, src/crw/_binary.py fetches a platform binary from github.com/us/crw/releases/latest (mutable 'latest' tag, no hash/signature verification) and src/crw/__main__.py hands it to os.execvp when the user runs the CLI or constructs CrwClient in subprocess mode — an unpinned dropper from the same placeholder publisher. Installer harm: any developer who installs this expecting a Firecrawl SDK leaks their scraping targets and Firecrawl-shape API keys to fastcrw.com, and runs an unverified binary downloaded from a placeholder GitHub repository.