MAL-2026-4769

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e3285c5fec24c01c9c463e85c199934f5a08da7e94277583430a6e3feb274add) The package's source distribution contains `Token.txt` at the tarball root holding a live PyPI API token (prefix `pypi-AgEIcHlwaS5vcmc...`). Anyone who downloads or installs the sdist obtains a credential granting publish rights on PyPI under the author's account, enabling republication of trojaned versions of this package (and any other package within the token's scope) to all downstream installers. Additional quality concerns include a malformed `Homepage` URL in `pyproject.toml` (`https://https://github.com/...`) and a placeholder `DEFAULT_BASE_URL` pointing at `api.soundsource.example.com`, indicating an unreviewed publish.