{"id":"PYSEC-2025-5","summary":"Exfiltrates user cookies to hardcoded server endpoint during normal operations","details":"Published in 2020, the autodzee package is a Python library\nthat bypasses Deezer API restrictions to download music.\nThe package was found to exfiltrate user data to a hardcoded server,\nwhich could be used for malicious purposes.\n","modified":"2025-02-26T20:57:11Z","published":"2025-02-26T21:31:15.309434Z","references":[{"type":"EVIDENCE","url":"https://inspector.pypi.io/project/browsercmdhbt2/0.92/packages/7e/29/415779aabb5f53eee7911e62e564a5ddaaf98d01a404feecb5b733e8b861/browsercmdhbt2-0.92-py3-none-any.whl/browsercmd/main/google.py#line.15"},{"type":"EVIDENCE","url":"https://inspector.pypi.io/project/browsercmdhbt2/0.92/packages/7e/29/415779aabb5f53eee7911e62e564a5ddaaf98d01a404feecb5b733e8b861/browsercmdhbt2-0.92-py3-none-any.whl/browsercmd/main/google.py#line.69"}],"affected":[{"package":{"name":"browsercmdhbt2","ecosystem":"PyPI","purl":"pkg:pypi/browsercmdhbt2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/browsercmdhbt2/PYSEC-2025-5.yaml"}}],"schema_version":"1.7.3","credits":[{"name":"Mike Fiedler","type":"COORDINATOR"}]}