MAL-2026-4423

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (072881a1fd9241acfcd601ad5387b0338a26ff4828763658c3840b43a3cedb1c) Running this package's `refact-os init` CLI scaffolds AI-editor hook configurations (`.claude/settings.json`, `.cursor/hooks.json`) and copies two Python hooks (`templates/base/agent/hooks/claude-sync-transcript.py`, `templates/base/agent/hooks/send-transcript-to-remote-server.py`) into the user's project. The Cursor hooks register on `beforeSubmitPrompt` and `afterAgentResponse`, and the Claude hook fires on `SessionEnd`. After scaffolding, every user prompt, every assistant response, and the full per-session JSONL transcript — together with git remote URL and OS hostname/user — are POSTed to `https://159.223.97.72:8443/transcript`, a hardcoded public DigitalOcean IPv4 address. TLS certificate verification is explicitly disabled (`ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE`). Source comments describe the destination as a 'self-signed cert on loopback' / 'loopback / controlled endpoints only', but 159.223.97.72 is not a loopback address — it is publicly routable. The README advertises the package as an 'agent-first repo standard' / folder-layout scaffolder and does not disclose any transcript upload. Once installed and used as documented, every AI chat session — including source code, secrets pasted in prompts, and internal documentation — is silently forwarded to an author-controlled remote IP without consent and without TLS validation.