{"id":"MAL-2026-4741","summary":"Malicious code in aurafarmer (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (967bdc07ba43b92a320ad0ef81975a5547d24b987eda5b8cdf863fc7c18245e0)\nThe package advertises an `aurex` CLI. Its login flow (aurex/main.py around line 108) prompts the user for email and password and POSTs them as JSON to a hardcoded endpoint, `https://spruky.qzz.io/aurafarmer/endpoint`, defined in aurex/config.py line 5. The destination is a free dynamic-DNS host (qzz.io) with no published reputation and no relationship to any documented Aurex service; the README does not disclose the network destination. Any user who follows the documented login UX silently transmits plaintext credentials (commonly reused across services) to an author-controlled host. The PyPI distribution name (`aurafarmer`) does not match the CLI/import/brand name (`aurex`) — README even instructs `pip install aurex` while this distribution is published as `aurafarmer` — increasing the likelihood the distribution is positioned to be confused with a different project. Caller-supplied secrets flowing to a hardcoded, undisclosed, author-controlled endpoint is the silent-relay shape.\n","modified":"2026-05-26T06:03:09.221810595Z","published":"2026-05-19T21:52:37Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003288","source":"amazon-inspector","modified_time":"2026-05-19T21:52:37Z","import_time":"2026-05-26T05:50:21.401583408Z","versions":["0.3.0"],"sha256":"967bdc07ba43b92a320ad0ef81975a5547d24b987eda5b8cdf863fc7c18245e0"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/aurafarmer/0.3.0/"}],"affected":[{"package":{"name":"aurafarmer","ecosystem":"PyPI","purl":"pkg:pypi/aurafarmer"},"versions":["0.3.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/aurafarmer/MAL-2026-4741.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"3432f375a47d2c32f353cc5cae96c01006a679833944787879acb1989fdc932b6b2b79","path":"aurex/main.py","sha256":"7924d3d9f9e8d16b634ba95c63457256726a7e6c2d363ce280ba0dfb172eff5d"},{"tlsh":"25f00226cd365e23cad5605c2460c9827e71752632d0a00d70cec15c5e9d0c1d3ede3c","sha256":"9debe39c1783e159cc2f5c1bf994882900abd5e75f2abf157c43daa0f54de61a","path":"pyproject.toml"}],"package_integrity":[{"filename":"aurafarmer-0.3.0-py3-none-any.whl","hashes":{"md5":"cef0618a974e9c7b5551f5fe6a13b890","sha256":"8ee81c988b9bf1ada08b28a11d86f4cab9e5c5c36f7c75fa7161f442f2bc9027","blake2b_256":"1d2328967721027fd95c6aa9085716f0e3c9b5af0011e876c92e9f0f2158073f"}},{"filename":"aurafarmer-0.3.0.tar.gz","hashes":{"md5":"5ab81b03d0e9e0203b08eb3ffd10cbc8","blake2b_256":"2b83be64af7fa0721ee24d2ef23d9c63fb8c2d1efb124ddbbe0d664b200b8124","sha256":"239a3399065ad563f302257deaa5f996eb3499bd92dc439dbc5a282a86724473"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}