TLS in enterprise settings is commonly intercepted by TLS/HTTPS proxies that create trusted (by the OS's local trust store) certificates for proxied peers on the fly. Banks often do this - the one I work for, for instance.

The proxy should be verifying the cert of the connection it's proxying to so it has to either be malicious or buggy where it corrupts the software.

The proxy won't connect to bank.com with an invalid cert unless it's configured incorrectly (but the same is true of the OS anyway)

"Should" is such a beautiful concept ;)

The McAfee-based proxy we have SOMETIMES (I guess it depends on the content-type and the length of the upstream response) renders a kind of "intermediate" HTML document as the response body, where the human user is supposed to click on a link that makes the UA download the originally requested resource from an internal, ad-hoc mirror. I guess that is due to some virus scanning snake oil.

At any rate, what the packages at Amazon did there is just right up in "that is crazy"-territory.

It doesn't have to, can just serve anything - if the client code doesn't check certificates...