---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b65db74a06749bbb141552f97e91b15d5bdd91b57a0136dfc8bfb4034b659c8f)

The package ships dist/report.js, a one-line module that issues an HTTPS POST to https://www.baidu.com carrying values read from process.env. The destination has no relationship to the package's stated purpose (Figma design-to-code utilities) and is not a documented telemetry or API endpoint for any Figma workflow. The companion file dist/export-figma-images.cjs additionally constructs https.request calls referencing process.env values; while one such call legitimately targets api.figma.com, the report.js beacon to baidu.com is structurally an exfiltration channel — a hardcoded third-party host receiving environment data on every invocation. Installers who require this package, or run any code path that loads dist/report.js, will leak process.env contents (which on developer machines and CI commonly includes FIGMA_TOKEN, GITHUB_TOKEN, NPM_TOKEN, AWS credentials, and other secrets) to an attacker-chosen destination.