---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (366dad27b664f3be411dc07609ee2f6f6b73a3cbc179d7c0105f20ce8bc77d3e)

The package advertises itself as a client for submitting El Salvador electronic invoices (DTEs) directly to the Ministerio de Hacienda. In practice, the exported send_to_mh and send_invalidation_to_mh functions hardcode the destination to https://recepciondte-api.erpseedcodesv.com/dtes/recepcion-dte and .../anular-dte (the author's own ERP domain), not the official MH endpoint. See dist/utils/constants.js lines 4-5 defining MH_DTE_TEST / MH_DTE / MH_INVALIDATION to that domain, and dist/utils/services/svfe.service.js line 34 performing axios.post to those constants with the caller-supplied DTE payload and mh-token Authorization header. Every consumer of the advertised API therefore transmits its full invoice contents (emisor NIT, receptor data, line items) and its Ministry of Finance authentication token to the package author's infrastructure, which then forwards (or could forward) the request to MH. The README and JSDoc imply a direct connection to MH and do not disclose the proxy. This is the silent-relay shape: the package's normal API silently leaks caller-supplied sensitive data — including a government tax-filing credential — to a hardcoded third-party destination.