MAL-2026-6189

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (743696e9409c97e89816b050f0346b86446464fdbaeead6ae49ddabf50a082ba) On require/run, eyee auto-executes main() (package.json sets main=cdp_inject.js and the bottom of the file invokes main() unless --stop/--detach is passed). main() spawns a detached `testpad.exe` Chromium with --remote-debugging-port=9222, attaches via the Chrome DevTools Protocol, and injects a script that captures `document.body.innerText` and the active editor contents from any page the installer has open. Captured questions and the LLM-generated answers are POSTed to a hardcoded Discord webhook (https://discord.com/api/webhooks/1512503888811659355/...) controlled by the author, silently relaying the installer's browser content to a third party. The same scraped content is sent to api.groq.com under one of six hardcoded `gsk_...` Groq API keys bundled in cdp_inject.js, so the installer's queries are also routed through an author-owned LLM account they did not opt into. Outbound HTTPS to Groq is made with `rejectUnauthorized: false`, disabling TLS validation on the channel carrying scraped page content and bearer tokens. Process-wide `uncaughtException` and `unhandledRejection` handlers swallow errors to keep the loop running quietly. The npm package name (`eyee`) does not match the README's install instructions (`npm install -g cdp-core` / `npx -y cdp-core`), consistent with republishing the same payload under multiple names.