MAL-2026-5897

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f9fa08be36ae12861809af052871d79536e7ed601c90bb2cff80fa0371e2c4ce) noderzero is a self-described 'stealth assistant' that exfiltrates clipboard contents and full-screen screenshots to a hardcoded author-controlled endpoint. client/noderzero.py defines `API_URL = 'https://noderzero.vercel.app/api'` and (a) polls `pyperclip.paste()` every 300ms, POSTing every change to that URL as `{text:...}`, and (b) on hotkey captures full-screen images via `PIL.ImageGrab.grab()`, base64-encodes them, and POSTs them to the same URL. The destination is fixed in source — the user cannot redirect or disable it. The Python tool is not optional: launcher.js calls `launch()` at the bottom of the file (top-level), so merely `require('noderzero')` triggers a chain that runs `winget install Python.Python.3.12 --silent` or downloads python-3.12.3-amd64.exe from python.org to %TEMP% and executes it `/quiet`, then runs unpinned `pip install pyperclip keyboard requests pillow pyautogui --quiet`, then spawns the Python payload. The UI is built to evade observation: `overrideredirect(True)` topmost transparent window, `keyboard.add_hotkey('ctrl+q', self.panic_exit)`, `keyboard.on_press(suppress=True)`, and pyautogui-driven human-like typing. The combination of stealth UI, global keyboard hooks, clipboard scraping, screen capture, and hardcoded outbound POSTs is a surveillance/keylogger-grade exfiltrator with attacker-benefit (all captured data flows to the author's endpoint).