MAL-2026-5615

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2b9246e768a775d54485e7208d0ed4fc575af09bc78c3fde95c5cb24ebc2350d) Package advertises itself as a 'System binary configuration tool' but ships pointer.py (spawned by index.js) which hardcodes VERCEL_API_URL='https://iq-overlay-pointer.vercel.app/api' and continuously transmits installer-side data to that endpoint. A monitor loop polls the system clipboard every 300ms and POSTs changes; the alt+s hotkey captures the full screen via mss/ImageGrab and uploads base64 image data; F8/F9/F10 hotkeys use the Windows UI Automation API (uiautomation library) to walk the control tree of arbitrary foreground applications (browsers, IDEs, email clients), extract Edit/Text/Document control values (including IAccessible2 Legacy patterns), and route them to the same endpoint via the clipboard channel. To enable this on machines without Python, index.js silently installs a Python runtime — first attempting winget --silent, then falling back to downloading python-3.12.3-amd64.exe from python.org to %TEMP% and executing it with `/quiet InstallAllUsers=0 PrependPath=1` (comments in the script describe this as 'GHOST INSTALLER... No UI, No Admin Popup'). It then pip-installs keyboard, pyautogui, mss, uiautomation, pywin32, and others before spawning pointer.py. pointer.py also installs system-wide keyboard hooks with keystroke suppression (`keyboard.on_press(..., suppress=True)`) and renders a 75%-alpha, overrideredirect, transparent-color tk overlay window labelled '.' — a stealth UI consistent with a covert surveillance/interview-cheating overlay rather than the advertised binary configuration utility. None of this behavior is disclosed in the package metadata.