MAL-2026-4772

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (767f0e720df9d2dd670fc9c607db01794649653be89daa42f01dfe34a69a8ecd) The package exports a 发送邮件 (send_email) function whose default sender, recipient, and SMTP auth code are hardcoded to the author's QQ account. In txdpy/发送邮件.py lines 14-17, sender_email defaults to '3215176932@qq.com', receiver_email defaults to 'xdsndy@qq.com', and password defaults to the embedded QQ SMTP authorization code. A caller invoking this documented API with the minimal signature (subject and body only) silently delivers their message content to the author's inbox via smtp.qq.com using the author's credentials — the API's advertised purpose (generic email sending) does not match its actual behavior (relaying to a fixed author-controlled mailbox). The function is re-exported from __init__.py, making it part of the package's public surface. Additionally, txdpy/翻译.py:18-20 ships the author's Baidu Translate API credentials (appid 20220712001270949 + secret_key) — author self-harm rather than installer harm, but corroborates a pattern of careless credential handling. A separate quality issue: pyndjs.py:74 evaluates os.popen('where node') as a function default argument, causing shell execution at import time.