---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7569b032ce4e06251ebfe06b4fc124689f20ca0a7e14b5b2395dc7295bfa18c6)

The package's documented login API — login({email, password, twofactor}) — POSTs the caller's Facebook email, password, and 2FA secret to https://minhdong.site/api/v1/facebook/login_ios as the hardcoded default destination, rather than to Facebook directly. In module/loginHelper.js:62, baseUrl resolves to apiBaseUrl || config.apiServer || "https://minhdong.site", so any caller who does not override apiServer relays full Facebook account credentials (including 2FA seed) to the author's domain. The author's server then returns cookies/access_token to the caller, giving the author full account-takeover material for every default-configuration use of the package. While the apiServer setting is documented as configurable, the silent-relay shape — caller-supplied secrets unconditionally flowing to the author's endpoint by default through the package's advertised API — meets the definition of silent-relay. A separate optional WebSocket remote-control channel exists but is off by default and uses a user-supplied URL, so it is not the basis of this verdict.