{"id":"MAL-2026-4769","summary":"Malicious code in soundsource (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e3285c5fec24c01c9c463e85c199934f5a08da7e94277583430a6e3feb274add)\nThe package's source distribution contains `Token.txt` at the tarball root holding a live PyPI API token (prefix `pypi-AgEIcHlwaS5vcmc...`). Anyone who downloads or installs the sdist obtains a credential granting publish rights on PyPI under the author's account, enabling republication of trojaned versions of this package (and any other package within the token's scope) to all downstream installers. Additional quality concerns include a malformed `Homepage` URL in `pyproject.toml` (`https://https://github.com/...`) and a placeholder `DEFAULT_BASE_URL` pointing at `api.soundsource.example.com`, indicating an unreviewed publish.\n","modified":"2026-05-26T06:03:15.562847655Z","published":"2026-05-19T19:52:10Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["0.1.0"],"id":"IN-MAL-2026-003268","import_time":"2026-05-26T05:50:19.531091426Z","modified_time":"2026-05-19T19:52:10Z","sha256":"e3285c5fec24c01c9c463e85c199934f5a08da7e94277583430a6e3feb274add"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/soundsource/0.1.0/"}],"affected":[{"package":{"name":"soundsource","ecosystem":"PyPI","purl":"pkg:pypi/soundsource"},"versions":["0.1.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/soundsource/MAL-2026-4769.json","indicators":{"package_integrity":[{"filename":"soundsource-0.1.0-py3-none-any.whl","hashes":{"blake2b_256":"5f0243d8442851fcaf25fddbe25da18269d786cb07b3f2e79135ebe5e654abfe","md5":"fcbbbceeb51675abaf0f4da38bfd75dc","sha256":"4be22646789c855bbfb198dae5c7bf5157aff8f45542a53331aa482459c92a8b"}},{"filename":"soundsource-0.1.0.tar.gz","hashes":{"blake2b_256":"9a84d0c611a2482125d5be4f4ef1eddce3f1ebc250f4d9b753154421466d8ff1","md5":"5b17ec51d5f30bf2bdc7e9ac456b9ed5","sha256":"0337a492b64e9755489103cea356705df16259e05bc1aba5f939fd960b631050"}}],"evidence_files":[{"sha256":"f000a23149d74c170ddb282dfdfd70316a69fe10996f0d4cc370fb2279735ad5","tlsh":"8dc022371820924a20c430c6889c752cb141f5f10c0212c268d9d5b8f4445c02159081","path":"Token.txt"},{"path":"pyproject.toml","sha256":"af82d66f5f3f742e1458d1a380af24ec41230fcc382ddf908b63dc992d94130a","tlsh":"cf310df3c9c62eb98ab110a0506a0e41f671511f764804eeb9f7824d1b38ebb84bcc29"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}