mal-2026-4824
Vulnerability from ossf_malicious_packages
Published
2026-05-26 15:09
Modified
2026-05-26 17:27
Summary
Malicious code in cdktn-provider-datadog (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (29ce930466b101c48ae641d7e4ad57f3d5169b9f14b1e041e4264e75cbfd965b)

Package name cdktn-provider-datadog is a single-character variant (f→n) of HashiCorp's widely-used cdktf-provider-datadog CDKTF provider. README and source have been edited to reference a fictitious 'CDK Terrain' project at cdktn.io / github.com/cdktn-io. setup.py declares install_requires=['cdktn>=0.23.0, <0.24.0',...], and src/cdktn_provider_datadog/_jsii/__init__.py unconditionally executes import cdktn._jsii at module load. Installing this package therefore forces resolution and installation of a separately-published cdktn core package in a parallel typosquat namespace controlled by an unrelated third party. A developer who mistypes the legitimate package name pulls in the entire cdktn* namespace as transitive dependencies, whose code runs whenever the provider is imported.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector actran@amazon.com
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "setup.py",
              "sha256": "e971505ed73893dd40132212f994d15c4d6939dbcad7371bce6690babe8d2932",
              "tlsh": "136231d4fc9a685100993800acd57804e0a676871b0725bcbb7f84ecfb66d2bf5f66c9"
            }
          ],
          "package_integrity": [
            {
              "filename": "cdktn_provider_datadog-15.1.1-py3-none-any.whl",
              "hashes": {
                "blake2b_256": "b32b6f68578fbe713fcdb5200e65e8334bae899a59dfbe0df12ab663dc43957e",
                "md5": "c4d9411876a1b0d0c144ae0d222adb2e",
                "sha256": "fffbedf51067ace6b7bb6a4c9e8088eacdb65f86465886730c8188cc053d948a"
              }
            },
            {
              "filename": "cdktn_provider_datadog-15.1.1.tar.gz",
              "hashes": {
                "blake2b_256": "7c3631b7ac55fe0262ff99046c4f49121d1761c3058c82455585754aab941ae1",
                "md5": "0b466bc50f12a61a5d78c9b2149d1ed3",
                "sha256": "60a0c8a29a9916b9c68074bf95b4accca2000d176716f2b8a567773778180443"
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "cdktn-provider-datadog"
      },
      "versions": [
        "15.1.1"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-004925",
        "import_time": "2026-05-26T16:47:31.442160835Z",
        "modified_time": "2026-05-26T15:09:17Z",
        "sha256": "29ce930466b101c48ae641d7e4ad57f3d5169b9f14b1e041e4264e75cbfd965b",
        "source": "amazon-inspector",
        "versions": [
          "15.1.1"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (29ce930466b101c48ae641d7e4ad57f3d5169b9f14b1e041e4264e75cbfd965b)\nPackage name `cdktn-provider-datadog` is a single-character variant (f\u2192n) of HashiCorp\u0027s widely-used `cdktf-provider-datadog` CDKTF provider. README and source have been edited to reference a fictitious \u0027CDK Terrain\u0027 project at `cdktn.io` / `github.com/cdktn-io`. setup.py declares `install_requires=[\u0027cdktn\u003e=0.23.0, \u003c0.24.0\u0027,...]`, and `src/cdktn_provider_datadog/_jsii/__init__.py` unconditionally executes `import cdktn._jsii` at module load. Installing this package therefore forces resolution and installation of a separately-published `cdktn` core package in a parallel typosquat namespace controlled by an unrelated third party. A developer who mistypes the legitimate package name pulls in the entire `cdktn*` namespace as transitive dependencies, whose code runs whenever the provider is imported.\n",
  "id": "MAL-2026-4824",
  "modified": "2026-05-26T17:27:32Z",
  "published": "2026-05-26T15:09:17Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/cdktn-provider-datadog/15.1.1/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in cdktn-provider-datadog (PyPI)",
  "withdrawn": "2026-05-26T17:27:32Z"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.