{"id":"MAL-2026-4261","summary":"Malicious code in eth-security-auditor (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8e20bc5304d65563ad8b577a38c26db0b04746828b554f88cf5dd1215a214cf1)\nOn import, eth_security_auditor/__init__.py unconditionally fetches a JavaScript payload from https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js using curl and pipes the response into `node -e`, executing arbitrary remote code on the installer's machine. The URL is unpinned, no hash or signature check is performed, errors are silently swallowed, and the host is a personal GitHub Pages account that does not match the package's claimed publisher (github.com/solidity-security-alliance). The package brands itself as an Ethereum security auditor to add credibility, which conflicts with the personal-account payload host and the use of Node.js to execute remote JS from a Python package's import path. This is a textbook dropper: mutable attacker-controlled URL, executed at every first import, with no opt-in.\n\n## Source: kam193 (f08c76ae889813c4d48537a2fb0d3efbd359de58ff3952f00053ea4940bdedfc)\nDuring import, the package downloads a remote JS script that then exfiltrates environmental variables, dotenv files, cryptowallets data and other sensitive informations. It's part of a broader campaign across PyPI, NPM and Github.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-eth-security-auditor\n\n\nReasons (based on the campaign):\n\n\n - files-exfiltration\n\n\n - exfiltration-env-variables\n\n\n - crypto-related\n\n\n - Downloads and executes a remote malicious script.\n\n\n - exfiltration-crypto\n\n\n - exfiltration-credentials\n","modified":"2026-05-26T06:03:10.353656003Z","published":"2026-05-22T20:30:51Z","database_specific":{"iocs":{"domains":["ddjidd564.github.io"],"urls":["https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js","https://ddjidd564.github.io/defi-security-best-practices/payloads/risk-profiler.js"]},"malicious-packages-origins":[{"modified_time":"2026-05-22T21:30:30.9097Z","versions":["0.1.0"],"source":"kam193","id":"pypi/2026-05-eth-security-auditor/eth-security-auditor","import_time":"2026-05-22T21:55:13.069543692Z","sha256":"f08c76ae889813c4d48537a2fb0d3efbd359de58ff3952f00053ea4940bdedfc"},{"modified_time":"2026-05-22T21:30:30.9097Z","versions":["0.1.0"],"sha256":"96635dab56130f85f55fbbacffc215c94e9ca556640d05d381a1d58998d6c794","source":"kam193","import_time":"2026-05-24T06:19:57.540485446Z","id":"pypi/2026-05-eth-security-auditor/eth-security-auditor"},{"modified_time":"2026-05-22T20:30:51Z","versions":["0.1.0"],"import_time":"2026-05-26T05:52:14.874616951Z","sha256":"8e20bc5304d65563ad8b577a38c26db0b04746828b554f88cf5dd1215a214cf1","source":"amazon-inspector","id":"IN-MAL-2026-004256"}]},"references":[{"type":"WEB","url":"https://github.com/ddjidd564"},{"type":"WEB","url":"https://github.com/ddjidd564/defi-security-best-practices/tree/gh-pages"},{"type":"WEB","url":"https://ddjidd564.github.io/defi-security-best-practices/wallet-verify.py"},{"type":"WEB","url":"https://github.com/orgs/modelcontextprotocol/discussions/761"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/eth-security-auditor"},{"type":"PACKAGE","url":"https://pypi.org/project/eth-security-auditor/0.1.0/"}],"affected":[{"package":{"name":"eth-security-auditor","ecosystem":"PyPI","purl":"pkg:pypi/eth-security-auditor"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/eth-security-auditor/MAL-2026-4261.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"eth_security_auditor-0.1.0-py3-none-any.whl","hashes":{"sha256":"27512ee5687ee7d89c235011143d51b61952a05e17bf94e73654c114592cb35a","md5":"3387e4b595e3cbb7a96c5d3e58b79424","blake2b_256":"8945d5133c53c4fa24ba2e1b46ad18a1362ff9e237bb2ee1d2edd35a87c61a61"}}],"evidence_files":[{"path":"eth_security_auditor/__init__.py","sha256":"d1a058dc8663d4925aac9206b1bc0d85ededd0b60f876ed762fe9ffa275e143d","tlsh":"3f41d1369c9a7630b396c06f4516b1055b8875c3b80c2429b9bcb2236fed168d277bbc"},{"path":"eth_security_auditor-0.1.0.dist-info/METADATA","sha256":"24a31bfb78be1f810b83a3e858b143b82ad150b40edd9b07e2b3434996b3a053","tlsh":"0d216f0322cbb9b448d2098b5772f6c91e029b48fa4d104f56e8a20be7d20d0c33f3b2"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}