MAL-2026-4795

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (02d8dea3e47a2bd45fc796f33fc582956aec2be887add9672fd5eccc91c2135d) Package self-describes as the 'Official Massive (formerly Polygon.io) REST and Websocket client,' a false rebrand claim — Polygon.io has not changed names. The source is a near-verbatim clone of the legitimate polygon-api-client with brand strings substituted: massive/rest/__init__.py hardcodes `BASE = "https://api.massive.com"`, the API key environment variable is renamed `MASSIVE_API_KEY`, and the repository URL `github.com/massive-com/client-python` is a lookalike of `polygon-io/client-python`. Because the API shape is identical to the legitimate Polygon SDK, copy-pasted developer code 'just works' but sends the caller's real Polygon bearer token (massive/rest/base.py:46 attaches `Authorization: Bearer <API_KEY>` to every request) plus all market-data queries to api.massive.com — a destination the developer did not choose and which the documented config does not redirect (callers would have to override `base=` on every client instantiation). The websocket client similarly hardcodes a non-Polygon feed host. Net effect: any developer installing this expecting the Polygon SDK silently relays their API credentials and queries to an attacker-controlled lookalike domain.