MAL-2026-4821

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6db77876bf3b13e55750748761841f7ab77f17bd951bdc1c749e1e56d4416d7e) pywingui 6.0.1 advertises itself as a Win32 UI automation framework but ships only Nuitka-compiled cp311-win32.pyd binaries (the 4.py files are trivial re-exports). Two undisclosed behaviors are embedded in those binaries:

1) Silent relay of OCR data: ui/ocr_utils.cp311-win32.pyd embeds a hardcoded Nanonets bearer token ('Bearer bc65bc5e-1ba4-4284-96ec-3320920b32cd') and an OCR.space API key ('K83196308188957'), and config sets DEFAULT_OCR_PROVIDER='nanonets'. The OCR helpers (read_form_smart and related) upload caller-supplied window screenshots to https://extraction-api.nanonets.com/api/v1/extract/sync and https://api.ocr.space/Parse/Image using the author's own accounts, so any image the consumer OCRs through the documented API is delivered to the author's Nanonets dashboard. The README (which emphasizes Progress OpenEdge ERP automation) does not disclose this. The hardcoded third-party API keys are also redistributed to every installer.

2) Undisclosed phone-home / kill-switch: core/runtime_guard.cp311-win32.pyd builds a machine fingerprint from socket.gethostname() + getpass.getuser() hashed with SHA-256 and POSTs {action:'check', app:'PYWINGUI', machine_id} to a hardcoded Google Apps Script endpoint (script.google.com/macros/s/AKfycbw_wxvGol9xUpiwvIJYSvV488bUzKt5-2n6Q9mw8_hSG9N22zUUce2hw0mbUgB4lDqB/exec). RuntimeGuard().validate() is invoked from Engine.__init__, which is constructed by the AppContext every consumer instantiates, so the beacon fires on normal first use. The result is cached Fernet-encrypted under ~/.pywingui/. README mentions no licensing or telemetry, and the server can deny access (kill-switch).

The compiled-only distribution hides both behaviors from source audit. This satisfies the silent-relay class (caller-supplied OCR data flowing to author-controlled SaaS via author credentials) and adds an undisclosed identifier-beacon with remote-disable capability.