Explicit payment-decoy APIs construct mismatched purchase item, token, and target-option combinations against MyXL payment endpoints. A separate explicit quota helper transmits its supplied phone number to a third-party host.
Static reason
No blocking static signals were detected.
Trigger
Consumer calls exported `Payments.payPulsaDecoy*`, `Payments.payQrisDecoy*`, or `Ciam.checkQuota`.
Impact
May facilitate unauthorized or inconsistent telecom-payment transactions; quota lookup discloses the supplied MSISDN to a non-MyXL endpoint.
Mechanism
User-invoked payment-request manipulation and third-party MSISDN lookup.
Rationale
The package contains no install-time or host-compromise behavior, but its exported decoy flows are a material, unresolved payment-abuse capability. Flag as warn rather than block because activation is explicit and backend exploit success is not established statically.
Evidence
package.jsondist/index.jsdist/ciam.jsdist/payments/index.jsdist/payments/pulsa-decoy.d.tsdist/payments/pulsa-decoy-v2.d.tsdist/payments/qris-decoy.d.tsdist/payments/qris-decoy-v2.d.ts
Network endpoints3
api.myxl.xlaxiata.co.idgede.ciam.xlaxiata.co.idxl-ku.my.id/end.php?check=package&number=${msisdn}&version=2