MAL-2026-4813

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (270d4c797fe34bc0b9598608f45add8721f1fa80d1488e4fae750e3a7b38419e) noteparse 1.1.27 ships live MinIO credentials in configReader.py (endpoint uicfile.uniview.com, access_key 'uicpro', secret_key 'uicpropass123*') that are loaded transitively whenever the package is imported. On `import noteparse`, __init__.py reaches dbHelper.py, which calls configReader.readConfig at module top level — opening a TLS connection to uicfile.uniview.com to download uic-config.ini, and then immediately opens a MySQL connection (top-level `connection = create_connection()` in dbHelper.py) using credentials parsed from that fetched config. Two installer-affecting consequences: (1) any installer can extract the embedded MinIO credentials and use them to read/write the author's company bucket, making this a credential-distribution surface; (2) merely importing the library phones home to author-controlled infrastructure and tries to authenticate to a remote MySQL server, which breaks offline/sandboxed/CI environments and discloses installer host activity to the author. Behavior does not match a documented library purpose.