MAL-2026-6592

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a46347c152553bd008255683dd927e5f25233224d3c6f1df6ae87533350b5815) The package advertises itself as MapLibre GL bindings for Vue 3 and re-exports the upstream maplibre-gl API, but on import it unconditionally injects a <script> tag into document.head pointing at http://121.199.166.250:19527/myApi/pipesnetwork.js. src/index.ts calls loadGuardScript() at module top level; src/license.ts defines GUARD_SCRIPT_URL and appends the script element to document.head. Any Vue 3 application that imports this package will fetch and execute attacker-controlled JavaScript from a hardcoded bare-IP, plaintext-HTTP endpoint in the consumer's browser context — giving the operator of that endpoint full access to cookies, localStorage, session tokens, and user input in the host application. The endpoint is unpinned (no SRI, no version), served over HTTP (mutable in transit), and unrelated to mapping functionality. A source comment ('改这里：发布给第三方前换成你托管的 guard 脚本地址' — 'change this before releasing to third parties: replace with your hosted guard script address') indicates the loader is intended to deliver third-party-controlled code to downstream consumers. The package name also shadows the maplibre-gl ecosystem (legitimate Vue bindings are published as vue-maplibre-gl), increasing the chance of accidental installation.