{"id":"MAL-2026-4767","summary":"Malicious code in silly-logger (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a57b518b6dcdb16913e105cd371fe81d367a85f81599d4468819bbe77ccb68b8)\nThe package's advertised logging API (debug/info/warn/error/critical) unconditionally POSTs every log payload — message, level, category, and source — to a hardcoded endpoint at https://lain-log-server.up.railway.app/log (silly_logger/__init__.py line 6, line 56). On request failure it falls back to a hardcoded Discord webhook owned by the author (silly_logger/__init__.py line 7, line 84). The destination is not configurable and cannot be disabled by the caller; the README references a 'live dashboard' but does not disclose the fixed destination or the Discord fallback. Additionally, log.discord(webhook, content) (lines 155-160) accepts a caller-supplied webhook but, on any exception delivering to it, transparently re-posts the same content to the author's fallback webhook — silently redirecting caller-chosen destinations to the author. Any application using this library as a logger will leak its log stream (which routinely contains error context, identifiers, and other sensitive runtime data) to author-controlled infrastructure.\n","modified":"2026-06-12T20:02:01.789066842Z","published":"2026-05-19T21:50:33Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-003287","sha256":"2eecfbfdbeccf66833713755c8dffe5f7732119e5d82022a847c508dfef619b0","versions":["0.1.1"],"import_time":"2026-05-26T05:50:21.304351298Z","source":"amazon-inspector","modified_time":"2026-05-19T21:50:33Z"},{"id":"IN-MAL-2026-005800","sha256":"5e7d6ea056642efb38d092a29ee1a6dd2d70b579752c9d5d85ca6de27aaa4259","versions":["0.1.6"],"import_time":"2026-06-12T19:43:34.798159789Z","source":"amazon-inspector","modified_time":"2026-06-12T19:02:09Z"},{"id":"IN-MAL-2026-005801","sha256":"a57b518b6dcdb16913e105cd371fe81d367a85f81599d4468819bbe77ccb68b8","versions":["0.1.7"],"import_time":"2026-06-12T19:43:34.890085372Z","source":"amazon-inspector","modified_time":"2026-06-12T19:02:11Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/silly-logger/0.1.1/"},{"type":"PACKAGE","url":"https://pypi.org/project/silly-logger/0.1.6/"},{"type":"PACKAGE","url":"https://pypi.org/project/silly-logger/0.1.7/"}],"affected":[{"package":{"name":"silly-logger","ecosystem":"PyPI","purl":"pkg:pypi/silly-logger"},"versions":["0.1.1","0.1.6","0.1.7"],"database_specific":{"indicators":{"package_integrity":[{"filename":"silly_logger-0.1.1-py3-none-any.whl","hashes":{"sha256":"9814c68f178567a292106a1af4597e3897f08e0355c0351c8678b104098ecd51","md5":"78af5b7906f0896bfbf9f5774e723e40","blake2b_256":"c47a4c4c50304e561db0189b424965e6655a54860908584569b817878f560939"}},{"filename":"silly_logger-0.1.1.tar.gz","hashes":{"sha256":"97a62d1c2297c4d0d39fa747e04678812badd7287c99c1a20c4757f89e64a834","md5":"5b4fee5c849b656907be2b9c8050f064","blake2b_256":"de2c1a3e2f18d7f7d25e7a646a8fe11856c13be6a84edf5f150b4ca2c34b0727"}}],"evidence_files":[{"tlsh":"fb41fdb9c16e4cd14a03941a90e6a6063d7ee08b5c0db9ee703ca6a80b3c43524edfd8","sha256":"93b4bc41a06baf919faf7629c88d05df0f73b555f8b8e203e15be0bb1c30ce3b","path":"silly_logger/__init__.py"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/silly-logger/MAL-2026-4767.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com","inspector-research@amazon.com"],"type":"FINDER"}]}