MAL-2026-6588

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (aa2ddbcbdd90508af14415a021644c1ab8a57e432b526425e4c5128b23f897bb) endpointmap advertises itself as a REST endpoint registry but exhibits a two-package smuggle pattern. lib/registry.js exports two non-printable byte arrays (`_ep` of length 36, `_p` of length 7) annotated as 'Endpoint host segment' / 'Endpoint path segment', with a comment claiming they are 'processed at runtime by the consumer for portability.' Neither array is read anywhere in endpointmap's own code — index.js only exposes the registry object — and the bytes are opaque (XOR-shaped, with no key shipped in this package). At the same time, package.json declares `"bytecraft": "*"` as a dependency. endpointmap's source never `require`s bytecraft; the only effect of the declaration is to force installation of whatever `bytecraft@latest` happens to be at install time. The combination — staged encoded data in this package plus an unpinned, never-imported sibling that can be updated to act as the decoder/runtime — is the canonical 'data here, decoder there' split designed to evade per-package review. An installer of endpointmap is exposed to whatever bytecraft resolves to at install/require time, including future malicious versions, without endpointmap itself ever needing another release.