---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (08bbc8be2cfa9a85473b0287e3c327b16c3f9e15886869bd9e2188a323448fd9)

Package pulumi_vcd is published with metadata mimicking an official Pulumi SDK (Homepage https://www.pulumi.com, tfgen-style auto-generated bindings) but pulumi_vcd/_utilities.py and pulumi_vcd/pulumi-plugin.json set the provider plugin server to github://api.github.com/ergSey/pulumi-vcd — a personal GitHub user's repository, not the pulumi/ organization that publishes legitimate providers. When a developer who installs this SDK runs pulumi up, the Pulumi engine fetches and executes the native provider plugin binary from this personal repo with no hash or signature verification. Whoever controls that GitHub account can ship arbitrary native code to anyone using the SDK. Supporting context: the version string is a unix-timestamp alpha (3.0.0a1779455998), the README links VCD to http://example.com, and the package is auto-generated tfgen output — consistent with a quickly-staged namespace impersonation rather than an established community provider. Legitimate Pulumi SDKs point their plugin server at github://api.github.com/pulumi/<repo>.