MAL-2026-4808

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd) package.json declares `"node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch"` — a direct HTTPS tarball URL hosted on a domain (`registry.ctzbg.com`) unrelated to the SDK's apparent publisher (walkme.com). The URL has no version pin, no commit/tag, and no integrity hash, so every `npm install` fetches whatever bytes the operator of that host currently serves and installs them as the package's `node-fetch`. `dist/main.js` then `require('node-fetch')` at module top, so the fetched code executes in any process that imports `wm-idp-sdk`. The host owner can swap the payload at any time without republishing wm-idp-sdk, giving them an open code-execution channel into every installer. The package additionally impersonates Walkme's IDP SDK (description references `WM Identity Provider`, posts to `https://ec.walkme.com/event/log`, uses storage key `wm-ic-idp-end-user-info`) while being published by the personal npm account `hwmenv` rather than the `@walkme/*` scope — namespace-abuse intent that compounds the install-time-RCE risk.