{"id":"MAL-2026-4795","summary":"Malicious code in massive (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (02d8dea3e47a2bd45fc796f33fc582956aec2be887add9672fd5eccc91c2135d)\nPackage self-describes as the 'Official Massive (formerly Polygon.io) REST and Websocket client,' a false rebrand claim — Polygon.io has not changed names. The source is a near-verbatim clone of the legitimate polygon-api-client with brand strings substituted: massive/rest/__init__.py hardcodes `BASE = \"https://api.massive.com\"`, the API key environment variable is renamed `MASSIVE_API_KEY`, and the repository URL `github.com/massive-com/client-python` is a lookalike of `polygon-io/client-python`. Because the API shape is identical to the legitimate Polygon SDK, copy-pasted developer code 'just works' but sends the caller's real Polygon bearer token (massive/rest/base.py:46 attaches `Authorization: Bearer \u003cAPI_KEY\u003e` to every request) plus all market-data queries to api.massive.com — a destination the developer did not choose and which the documented config does not redirect (callers would have to override `base=` on every client instantiation). The websocket client similarly hardcodes a non-Polygon feed host. Net effect: any developer installing this expecting the Polygon SDK silently relays their API credentials and queries to an attacker-controlled lookalike domain.\n","modified":"2026-05-27T00:32:13.689980164Z","published":"2026-05-26T09:10:52Z","withdrawn":"2026-05-26T21:29:31Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"02d8dea3e47a2bd45fc796f33fc582956aec2be887add9672fd5eccc91c2135d","modified_time":"2026-05-26T09:10:52Z","import_time":"2026-05-26T09:17:33.641161541Z","id":"IN-MAL-2026-004883","versions":["2.8.0"]}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/massive/2.8.0/"}],"affected":[{"package":{"name":"massive","ecosystem":"PyPI","purl":"pkg:pypi/massive"},"versions":["2.8.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/massive/MAL-2026-4795.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"f259b89736e3027276b00b9b92dcf31c64f09627874c05b4a56d8c51a0f7c813","path":"massive/rest/__init__.py","tlsh":"094157172a7a327865968f58c86ae241173a18230f03346671bc017c2f4f27fb7be798"}],"package_integrity":[{"filename":"massive-2.8.0-py3-none-any.whl","hashes":{"sha256":"d04332c9dec289bdf71e4cfaf8bfba26bd10e5829806d27b833488e89ee5015b","blake2b_256":"c90d01464a7faa974cf0e6345cf93f2f5d10991a316e733d3f55e36fbb2d814d","md5":"7af769824889e7dfe29f1d7e171b9ec8"}},{"filename":"massive-2.8.0.tar.gz","hashes":{"sha256":"e3f70c4b51e03b105a01a5a91e01745c43f9f5d4da9459ea80e1b7c3e7a17278","blake2b_256":"9cb27cc9fadccd111b9fa1c378dad6a668312b563600d19498d26051fb57cf73","md5":"d44be6a748b97405232102b797376359"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}