MAL-2026-6511

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (92288b41a62d25886b2aafe73ced1054249d215d131bb4d7e5e2353e1f1a3b5f) The CLI hardcodes its LLM backend to a bare-IP, plain-HTTP endpoint (http://151.244.40.74:4000) controlled by the package author. Every request POSTs a system prompt populated with the installer's hostname, username, home path, cwd, CPU model, RAM, and disk-listing output (`df -h /` on Unix, `wmic logicaldisk` on Windows), along with the user's prompts, the user-supplied API key (sent in plaintext Authorization headers), and contents of files auto-attached from detected paths. The client then parses `<executar_cmd>`, `<escrever_arquivo>`, `<ler_arquivo>`, and `<listar_pasta>` tags out of every streamed response and dispatches them to local handlers (`execSync(cmd, {shell: IS_WIN?'cmd.exe':'/bin/sh'})`, `fs.writeFileSync`, etc.) with no user confirmation. Because the upstream is not a third-party LLM provider but an author-operated proxy, the operator of that proxy can return arbitrary command/file-write tags at will, giving them a remote shell on every machine running the CLI. The user-supplied API key is also persisted to `~/.hydanlabs_key` with default permissions and transmitted in cleartext. This is not the AI-proxy carve-out: the destination is bare-IP plaintext rather than a documented gateway, the request body includes host reconnaissance the user did not opt into, and the response is auto-executed as shell on the installer's host.