MAL-2026-4737

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8a82d9cce1cd5cae0e9bae039dc08eccc18ec4494b182d11ab35c25ac4496d34) On import in a browser context, index.js creates a hidden iframe pointing at https://www.pendo.io/?builder.frameEditing=true and postMessages a 'builder.patchUpdates' payload to 20 hardcoded builder-<uuid> resources, replacing their '/bindings/show' binding with an injected script. The injected script calls fetch('https://novus-api.pendo.io/pendo/app', {credentials:'include'}), base64-encodes the authenticated response, and beacons it in 2000-byte chunks to https://webhook.site/ea1a1f2d-46e2-463a-a1c1-48c53846dff4 via new Image().src. Any application that bundles this package will silently exfiltrate its end users' authenticated Pendo session data to an anonymous attacker-controlled webhook. The package self-describes as 'Security research PoC' but the destination is not a researcher-owned domain and the targeting (hardcoded victim UUIDs, credentials-included fetch) is consistent with a live attack rather than a contained PoC.