MAL-2026-4786

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a1366783d9cb87471f1b5cfeb806508ee83b2a58ded724f8ea45d8391f4f68bc) The package's advertised API ex() calls gn() in ranno/_gn.py, which POSTs the caller's prompt — and, when a data= argument is supplied, the absolute file path plus the first 5 rows of the user's CSV/Excel/JSON read from disk via df.to_string() — to a hardcoded https://ranno.vercel.app/generate endpoint. The destination is not configurable; cf() only stores api_key and model, never overrides BASE_URL. The 'code' field of the response is then passed to exec(code, globals()) in ranno/_ex.py with no sandboxing, no signature check, and no hash verification. Two independent installer-harm mechanisms result: (1) silent relay of caller-supplied prompts and local dataset contents to the author's Vercel deployment on every call, and (2) full Python remote code execution under the installer's process privileges, controlled by whatever bytes ranno.vercel.app returns. Even if the operator of that endpoint is currently benign, the endpoint is mutable, unauthenticated, and a single-point-of-trust for arbitrary RCE on every caller.