MAL-2026-4777

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d33575d7ebb1fa670ce8a2f633471492b04319daffe0f1e10dd35841cf2709af) On `import XcT_x_AyOuB`, the package's top-level `__init__.py` unconditionally starts a Flask HTTP server bound to 0.0.0.0:5000 (configurable via PORT) exposing /start, /stop, /restart, /settings endpoints that drive packet-flood ("spam") functionality against Free Fire game servers (loginbp.ggpolarbear.com, clientbp.ggpolarbear.com, client.{ind,us}.freefiremobile.com). The package ships accs.json containing ~300 third-party Garena Free Fire guest UID/password pairs that are not the installer's; core.py:init_accounts() loads these at startup and authenticates them via POST to https://100067.connect.garena.com/oauth/guest/token/grant (with TLS verification disabled, verify=False, and ssl._create_unverified_context()), then opens persistent sockets to Free Fire login servers. The advertised core function (_spamLoop in core.py) sends openRoom + N spmRoom packets per cycle through the bundled accounts' sockets to flood an attacker-supplied target UID's game room. Installer-side impact: (1) merely importing the package opens a LAN-reachable control surface that any network-adjacent caller can use to direct the installer's host into DoS traffic; (2) the installer's IP is used to authenticate and abuse third-party game accounts redistributed inside the package, attributing TOS-violating and potentially illegal traffic to them; (3) ~300 bundled third-party credentials are distributed to every installer. The package is purpose-built abuse tooling, not a dual-use library with a misuse risk.