---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d2acf2a0d94ec1d2bada80f3251f5ecbea64d78ffadcab2b997b9708c2ae71cd)

package.json declares "node-fetch": "https://registry.ctzbg.com/wm-idp-sdk/node-fetch" — a direct HTTPS tarball URL hosted on a domain (registry.ctzbg.com) unrelated to the SDK's apparent publisher (walkme.com). The URL has no version pin, no commit/tag, and no integrity hash, so every npm install fetches whatever bytes the operator of that host currently serves and installs them as the package's node-fetch. dist/main.js then require('node-fetch') at module top, so the fetched code executes in any process that imports wm-idp-sdk. The host owner can swap the payload at any time without republishing wm-idp-sdk, giving them an open code-execution channel into every installer. The package additionally impersonates Walkme's IDP SDK (description references WM Identity Provider, posts to https://ec.walkme.com/event/log, uses storage key wm-ic-idp-end-user-info) while being published by the personal npm account hwmenv rather than the @walkme/* scope — namespace-abuse intent that compounds the install-time-RCE risk.