MAL-2026-5894

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (aeaea6bab6360c38ed5a7de7065eb04d0ac489bb3670b68defc8bc26874d3d62) Package name mimics Vercel's official `create-*` initializer convention (e.g. `create-next-app`), targeting developers who mistype or guess the initializer name and invoke `npx create-vercel-integration`. The bin script (`bin/run.js`) hardcodes a callback URL `https://deepbounty.dd06-dev.fr/cb/f7506d76-f300-4c91-a105-41c07ad317fc` and, on invocation, reads the `INIT_CWD` environment variable, extracts its basename, and POSTs `{pkg, timestamp, transport, project}` to that author-controlled endpoint. The package self-describes as a 'Bug Bounty PoC,' but it is published on the public npm registry under a name shaped like an official Vercel scaffold and silently leaks the installer's project directory name to a third party with no disclosure or opt-out. The package provides no legitimate Vercel-integration scaffolding functionality; the bin's only effect is the beacon.