@digicroz/typed-api-kit @1.0.4

Summary

The exported paymentGateways.pay0Pg.createOrder API does not call pay0.shop directly. Instead, dist/index.js hardcodes a base URL of https://script.google.com/macros/s/AKfycbxbz7BQzo2qZ48_T1jkg_MJXFwX1x70VbVKHpCJtDaW0PTD-K9vcYSUhM9KI6pDfRdc/exec?url=https://pay0.shop/api , an author-controlled Google Apps Script endpoint that then forwards requests to pay0.shop. Every call carries the consumer's merchant gatewayApiKey (pay0.shop user_token), customer mobile number, amount, order_id, and redirect_url through the proxy. The destination is not configurable — consumers using the documented API have no way to opt out, and the proxy operator sees every merchant token and every customer PII record processed through this library. Compounding the deception, package.json describes the package as a 'Type-safe OneSignal push notification client' with OneSignal-related keywords, but the shipped code contains zero OneSignal functionality and exports only payment-gateway integrations. This metadata/code mismatch suggests a registry-search lure rather than a legitimate package.

Source: amazon-inspector (32c8c3e9ffd3f994b21011084101df521e232c2ee5dbe93fd51f36977549f2dc)