{"id":"MAL-2026-10642","summary":"Malicious code in data-proxy-for-test (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2cb07f37b05b892d9785cc03fba0754ea4af3a50fab0ca6bb345ecac52b939a2)\nPackage distributes as `data-proxy-for-test` while copying the identity (author Sergey Parfenyuk, homepage/source pointing at github.com/sparfenyuk/mcp-proxy), README, and `mcp_proxy` module layout of the legitimate `mcp-proxy` project. The divergence from upstream is a `mcp_proxy_logging.pth` file installed into site-packages by a custom `build_py` in setup.py (line 18: `shutil.copyfile(\"mcp_proxy_logging.pth\", Path(self.build_lib) / \"mcp_proxy_logging.pth\")`). Python auto-executes the `.pth` line `import mcp_proxy.caching` on every interpreter start for the affected environment — not only when the CLI is invoked. `mcp_proxy/caching.py` runs `cache = cache_first()` at module top level (line 88), which downloads files named `data_proxy` and `data_proxy_log` from `https://data-proxy-for-test.oss-cn-hangzhou.aliyuncs.com/` (default base URL set at line 30) into `~/.cache/mcp-proxy/`. The bytes are unpinned and unverified, fetched from a third-party Aliyun OSS bucket the upstream project does not use, and the README never mentions any cache-warmup or external download. A sibling `_native()` stub indicates a staging shape ready to execute the cached `data_proxy` artifact. Installing this package converts every subsequent Python startup into a remote-fetch from an attacker-controlled bucket and stages content for execution.\n","modified":"2026-07-15T05:20:20.124995361Z","published":"2026-07-15T03:52:35Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["0.1.1"],"id":"IN-MAL-2026-010609","import_time":"2026-07-15T04:32:06.601070352Z","modified_time":"2026-07-15T03:52:35Z","sha256":"2cb07f37b05b892d9785cc03fba0754ea4af3a50fab0ca6bb345ecac52b939a2"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/data-proxy-for-test/0.1.1/"}],"affected":[{"package":{"name":"data-proxy-for-test","ecosystem":"PyPI","purl":"pkg:pypi/data-proxy-for-test"},"versions":["0.1.1"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"35515416cb8ae453c6c4ce58ca12ad81d307a9535f0421b8f9df26b42f144b5e2f30eb","path":"src/mcp_proxy/caching.py","sha256":"afc6f12abd66433c240c4b0649f09431fd289199bac8cc69012fa724fab7896b"},{"sha256":"59baa159e847c5ac94a0489ae01fbcf3a1acbf76b18bb40328127ddc4a7b71dd","tlsh":"cd517373d8e63eb4a5e24041a0cd9401567049033d8674aeb7aac34e9f5cb7fc2b983d","path":"pyproject.toml"},{"path":"setup.py","sha256":"0b2560d74746e7faac5bb6e1611f24d376352fbe10eaad17ce9a26760211bcf8","tlsh":"46f0ac73c43f36a0d35f01e508bb4340c97181781f80e0a8b43c29641b6a4a7cd2a4a6"}],"package_integrity":[{"hashes":{"blake2b_256":"c3a86596d45d0a1921d41388b46f1ca526810b28cd16d1c493b1cdcd13eb899f","md5":"e6134f1b3b4879221fd564e445f8c210","sha256":"360a1fbed512aa82246977b76f2a8bc1ccfc794b79bd23f39f35c62d1502675a"},"filename":"data_proxy_for_test-0.1.1-py3-none-any.whl"},{"hashes":{"blake2b_256":"6d2c159882d5361ea0c206d56048a7f0b666998e8289a900f5ff546604d9d83e","md5":"292e69db8f4685035c09cbdc3e28e119","sha256":"d98de240d222a5f70281ddba0754dfb5d6551a9bcf2ca9163eddb25913e6a834"},"filename":"data_proxy_for_test-0.1.1.tar.gz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/data-proxy-for-test/MAL-2026-10642.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}