---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (02d8dea3e47a2bd45fc796f33fc582956aec2be887add9672fd5eccc91c2135d)

Package self-describes as the 'Official Massive (formerly Polygon.io) REST and Websocket client,' a false rebrand claim — Polygon.io has not changed names. The source is a near-verbatim clone of the legitimate polygon-api-client with brand strings substituted: massive/rest/init.py hardcodes BASE = "https://api.massive.com", the API key environment variable is renamed MASSIVE_API_KEY, and the repository URL github.com/massive-com/client-python is a lookalike of polygon-io/client-python. Because the API shape is identical to the legitimate Polygon SDK, copy-pasted developer code 'just works' but sends the caller's real Polygon bearer token (massive/rest/base.py:46 attaches Authorization: Bearer <API_KEY> to every request) plus all market-data queries to api.massive.com — a destination the developer did not choose and which the documented config does not redirect (callers would have to override base= on every client instantiation). The websocket client similarly hardcodes a non-Polygon feed host. Net effect: any developer installing this expecting the Polygon SDK silently relays their API credentials and queries to an attacker-controlled lookalike domain.