{"id":"MAL-2026-4772","summary":"Malicious code in txdpy (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (767f0e720df9d2dd670fc9c607db01794649653be89daa42f01dfe34a69a8ecd)\nThe package exports a 发送邮件 (send_email) function whose default sender, recipient, and SMTP auth code are hardcoded to the author's QQ account. In txdpy/发送邮件.py lines 14-17, sender_email defaults to '3215176932@qq.com', receiver_email defaults to 'xdsndy@qq.com', and password defaults to the embedded QQ SMTP authorization code. A caller invoking this documented API with the minimal signature (subject and body only) silently delivers their message content to the author's inbox via smtp.qq.com using the author's credentials — the API's advertised purpose (generic email sending) does not match its actual behavior (relaying to a fixed author-controlled mailbox). The function is re-exported from __init__.py, making it part of the package's public surface. Additionally, txdpy/翻译.py:18-20 ships the author's Baidu Translate API credentials (appid 20220712001270949 + secret_key) — author self-harm rather than installer harm, but corroborates a pattern of careless credential handling. A separate quality issue: pyndjs.py:74 evaluates os.popen('where node') as a function default argument, causing shell execution at import time.\n","modified":"2026-05-26T06:03:15.565889856Z","published":"2026-05-20T17:54:34Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"767f0e720df9d2dd670fc9c607db01794649653be89daa42f01dfe34a69a8ecd","modified_time":"2026-05-20T17:54:34Z","id":"IN-MAL-2026-003581","import_time":"2026-05-26T05:50:54.073724066Z","versions":["2026.5"]}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/txdpy/2026.5/"}],"affected":[{"package":{"name":"txdpy","ecosystem":"PyPI","purl":"pkg:pypi/txdpy"},"versions":["2026.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/txdpy/MAL-2026-4772.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"f5219c056e9b2caf21fae187f416a404eadc10032a385664f4186e1e3f3be1722517ba","sha256":"af4d7a0b645703f9d8a60f2363cf33d78c31e6f03348966f0b382b2320ae3af4","path":"txdpy/发送邮件.py"},{"tlsh":"1c118c219c26600590b1d52e62d67c14d03fe5025bd86f377b5dd51b1f7315939f8a4c","sha256":"38d29739be980985a1d2d86945efb0d81936054d3865706adcbcb84fb8ba6094","path":"txdpy/翻译.py"},{"tlsh":"54c1a6057c663a2481b3ba251847090ae17d6bb388e870e9fbddc1e11f75c18427af7e","sha256":"3232898209de9a56fc49e0c1c73dc0d9f0fd920e1a3bb95505f98e924ece09e6","path":"txdpy/pyndjs.py"}],"package_integrity":[{"filename":"txdpy-2026.5-py3-none-any.whl","hashes":{"sha256":"d15e1268b13116f914a1ce91610d8530bf1a2cac4ea364c139b5be7aba6ea920","blake2b_256":"a4c00487cef669b5d71f50705b094932779228aead9662334183d583c8f4493e","md5":"26e1296dae3ecf1d0ca83bb8dd425faf"}},{"filename":"txdpy-2026.5.tar.gz","hashes":{"sha256":"f71b126a57a49ac63ee86dde08d976d659a4ddfdb00fa149a406eaeff3ae6fba","blake2b_256":"f2df556a3161181a4fb17421b7427a4489056d819bd11d477c3b5b3f67ab2dda","md5":"355f8d80f4729bd1327b9797430bc945"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}