MAL-2026-4766

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0142a19ba91410cc19470321caba04aa48633df937b0ed66439cccf31877a333) utils/send_email_otp.py exposes otpEmailService(to_email, email_body), which authenticates to smtp.gmail.com using a hardcoded sender address (magizhchisk@gmail.com) and a hardcoded Gmail App Password, then calls server.send_message on a message whose From: is the author and To: is the caller-supplied recipient with caller-supplied body. Any application that imports this helper sends OTP/notification email FROM the author's personal Gmail account through author-controlled infrastructure, with no way for the caller to supply their own SMTP credentials. The recipient address and message body — installer-side data — are silently routed through the author's mailbox. Additionally, the App Password is redistributed to every installer, so anyone who installs the package can log into the author's Gmail and impersonate the sender to all prior OTP recipients. A secondary issue in utils/auth.py hardcodes SECRET_KEY = "nsn" for HS256 JWT signing; any deployment using create_access_token/verify_token from this library will issue forgeable tokens since the signing key is shipped publicly.