MAL-2026-4752

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (55fc219f03cbaeeedb660ad423cc7af08ff1d29154c8b8989b7b0c5d7d5c3d75) setup.py installs a.pth file containing `import gt_tester_exp_profiler_exp_00000015.probe; probe.run_probe()`, causing every Python interpreter start on the installer's machine to execute the package's probe module. The probe issues a plaintext HTTP GET to http://104.131.173.16/exp-<tag>-<hash16>, leaking the installer's source IP, interpreter-launch cadence, and a per-call hash to a hardcoded third-party host with no opt-in. Because.pth files auto-execute on every `python` invocation (not only when the package is imported), this constitutes installer-side persistence: the beacon fires for unrelated Python processes long after the user has forgotten the package is installed. The destination is a bare IPv4 address over cleartext HTTP with no integrity verification, so any future operator of that IP — or any on-path attacker — can serve arbitrary responses to the beacon. The User-Agent only references an opt-OUT URL, confirming the author knew consent was absent.