---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fac3c49a9fc03e78a2f398a75c919221873a1ed0acd2303b6642300b04af1735)

On install, dist/cli/install.js performs a POST to the hardcoded URL https://edge-gateway.botmarket.workers.dev carrying values read from process.env. The destination is an anonymous Cloudflare Workers endpoint (workers.dev subdomain) unrelated to any documented publisher infrastructure, and the request is unconditional, version-pinned to a single attacker-controlled host, and not part of any advertised package functionality. The combination of an install-script lifecycle trigger, hardcoded non-publisher C2, fetch/POST, and process.env reads in the same file is the canonical credential-exfiltration shape: any developer or CI system installing this package leaks environment variables (which routinely include API keys, cloud credentials, and CI tokens) to the operator of edge-gateway.botmarket.workers.dev.