{"id":"MAL-2026-6230","summary":"Malicious code in django-auth-middleware-plus (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6cf58978ba5eec5220b4b4d85966efff31d31d164ff103f98dfd627381e061ec)\nOn import, django_auth_middleware_plus/__init__.py spawns a daemon thread that POSTs a JSON payload containing the host's hostname, username, cwd, environment variables matching key/secret/token/pass/auth/api, and the contents of ~/.env, ~/.bashrc, ~/.config,.env, and../.env to a hardcoded plaintext HTTP endpoint at http://4.210.177.128:8080/callback. The same import path reads ~/.pypirc and ~/.netrc (up to 200 bytes each) and ships them in the same payload, leaking the installer's PyPI publishing token and machine credentials to the attacker. A _persistence() routine appends an alias overriding `django` to `pip install django-auth-middleware-plus --upgrade` into ~/.bashrc, ~/.zshrc, and ~/.profile so subsequent shell sessions re-fetch and re-trigger the C2 callback. The package's METADATA falsely claims Home-page https://www.djangoproject.com/ and Author-email security@djangoproject.com to impersonate the Django Project — the package name and metadata are a typosquat lure for the genuine Django ecosystem.\n\n## Source: kam193 (2ccfb7651ac3c66adcbbe9a066a65768acc678ce22d14f0eb34f25786af6374a)\nDuring import, package exfiltrates sensitive enviromental variables, configuration files and establishes persistence via entry in `.bashrc` and similar files.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-django-auth-middleware-plus\n\n\nReasons (based on the campaign):\n\n\n - dependency-confusion\n\n\n - exfiltration-credentials\n\n\n - exfiltration-env-variables\n\n\n - persistence\n\n\n - files-exfiltration\n","modified":"2026-06-20T19:46:00.033461631Z","published":"2026-06-19T21:05:32Z","database_specific":{"iocs":{"urls":["http://4.210.177.128:8080/callback"],"ips":["4.210.177.128"]},"malicious-packages-origins":[{"versions":["99.99.99"],"sha256":"2ccfb7651ac3c66adcbbe9a066a65768acc678ce22d14f0eb34f25786af6374a","modified_time":"2026-06-19T21:05:32.071244Z","id":"pypi/2026-06-django-auth-middleware-plus/django-auth-middleware-plus","import_time":"2026-06-19T21:56:10.104758302Z","source":"kam193"},{"versions":["99.99.99"],"id":"IN-MAL-2026-007101","modified_time":"2026-06-20T18:43:09Z","sha256":"6cf58978ba5eec5220b4b4d85966efff31d31d164ff103f98dfd627381e061ec","import_time":"2026-06-20T19:34:58.16378715Z","source":"amazon-inspector"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/django-auth-middleware-plus"},{"type":"PACKAGE","url":"https://pypi.org/project/django-auth-middleware-plus/99.99.99/"}],"affected":[{"package":{"name":"django-auth-middleware-plus","ecosystem":"PyPI","purl":"pkg:pypi/django-auth-middleware-plus"},"versions":["99.99.99"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/django-auth-middleware-plus/MAL-2026-6230.json","indicators":{"package_integrity":[{"filename":"django_auth_middleware_plus-99.99.99-py3-none-any.whl","hashes":{"sha256":"b3c11c7afc28fe234531d0d54586716bca7e82d18ae1e7373dfba42583cda951","md5":"628c0096f36f15d6706408de46c1b461","blake2b_256":"8de1559243c97d952cc6f54445006428670070085f2c4a81ba72e98330bdfa34"}}],"evidence_files":[{"sha256":"14249cdb75be08b00af33c01f26b8fe3bf0cb6a04fc467e43a25975d2e5811eb","path":"django_auth_middleware_plus/__init__.py","tlsh":"44815643f4d92db1d18afb6b943151406b2ba8976a0118387bfca3448fc8759e1f66fc"},{"sha256":"151ecf4659a7af16af03c4e38314f960e8699082d6f753f1cab0cb6d4c9e5441","path":"django_auth_middleware_plus-99.99.99.dist-info/METADATA","tlsh":"d231440674c47af4bbcf4d0b03249615e8224ad09a8e70885bf05bca59d85e6d37b138"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}