{"id":"MAL-2026-3692","summary":"Malicious code in guan (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2e04a9a658bc7616e72a5edf276dd049e5b697f2492c46929caf2e01fac95d84)\nThe top-level `src/guan/__init__.py` unconditionally calls `statistics_of_guan_package()` on every `import guan`. That function (in `src/guan/others.py`) opens a raw TCP socket to the hardcoded author-controlled endpoint `socket.guanjihuan.com:12345` and sends a JSON payload containing the installer's MAC address (via `uuid.getnode()`), the `guan` package version, and timestamp. There is no opt-out, no documentation of this behavior in README/PKG-INFO, and no user consent. This constitutes silent collection of a stable hardware identifier from every machine that imports the package and transmits it to an author-controlled server — an installer-side data exfiltration pattern, not merely author-side self-harm. While the payload is narrow (MAC + version + time), MAC addresses are persistent hardware identifiers suitable for tracking, correlation, and deanonymization of developer/build machines.\n","modified":"2026-05-13T20:22:53.891819Z","published":"2026-05-12T07:41:52Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["0.1.171"],"id":"IN-MAL-2026-002162","sha256":"2e04a9a658bc7616e72a5edf276dd049e5b697f2492c46929caf2e01fac95d84","modified_time":"2026-05-12T19:03:07Z","import_time":"2026-05-13T20:10:52.085627512Z"},{"source":"amazon-inspector","versions":["0.1.100"],"id":"IN-MAL-2026-002127","sha256":"79f5073a737071fced2f4ba5d1843bb5104253741c9e5f58bf2b773f06c05ada","modified_time":"2026-05-12T19:03:07Z","import_time":"2026-05-13T20:10:51.539665834Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/guan/0.1.171/"},{"type":"PACKAGE","url":"https://pypi.org/project/guan/0.1.100/"}],"affected":[{"package":{"name":"guan","ecosystem":"PyPI","purl":"pkg:pypi/guan"},"versions":["0.1.171","0.1.100"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"2611e33f22ffbb004abae7e1705f1674537750baaf4000a71ee963be178516c1a11439","path":"src/guan/__init__.py","sha256":"5ffca3f9acceae723d7127c035a100c6c71b4b3102091c004c7462b9dafa3115"}],"package_integrity":[{"hashes":{"md5":"356aa56abd6c5c00d93988ac60d2cf1f","blake2b_256":"e61d4e36c641deef2c4269b4b71fd2547eb4d25b3417f9da2e50e7a9fe227093","sha256":"980fc0886cc85b6ff49a3d784bc95bc1333b535bac3216b4b042960f9fe496cb"},"filename":"guan-0.1.171-py3-none-any.whl"},{"hashes":{"md5":"3ee7b41b5ab81001eda862fef4981a8a","blake2b_256":"4c627291cc70500619327b420a9c8dc2faffe49569222f70210898dfa4e0d5d7","sha256":"ee1227ae4a8b99d0f356c3cc0fde42782eef66bdb751947fc678a1f6e2938a23"},"filename":"guan-0.1.171.tar.gz"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/guan/MAL-2026-3692.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}