mal-2026-4825
Vulnerability from ossf_malicious_packages
Published
2026-05-26 15:08
Modified
2026-05-26 17:27
Summary
Malicious code in cdktn-provider-newrelic (PyPI)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (51996ccf23fd3d3b291f945e2ec88504c93d7e302e183c7633632b8a03d1590d)
Package name 'cdktn-provider-newrelic' is a single-character edit (cdktf→cdktn) of HashiCorp's official 'cdktf-provider-newrelic' (CDK for Terraform NewRelic provider bindings). The package replicates the target's full API surface — 80+ Terraform resource modules including alert_policy, nrql_alert_condition, and synthetics_* — and rebrands 'CDK for Terraform (cdktf)' as 'CDK Terrain (cdktn)' across the README and metadata, with a fabricated homepage (cdktn.io) and GitHub org (cdktn-io / open-constructs). setup.py declares install_requires of 'cdktn>=0.23.0,<0.24.0' — itself a typosquat of HashiCorp's 'cdktf' runtime — so a developer who mistypes the package name during pip install silently pulls a sibling typosquat package whose code runs at import time. The combination of a top-tier registry typosquat, full API mimicry to evade detection by would-be users, and a transitive typosquat dependency injected via install_requires constitutes namespace-abuse: the install resolves attacker-controlled code into the developer's environment under cover of HashiCorp's published API.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "setup.py",
"sha256": "8b9855d507ad37d2cff0c13dcb23de6ad58aedf0c1712986377c3aa4044e36e1",
"tlsh": "0cd16951fa939eb101ea19807cc92d00ea5612936d001e6cff4e897cfb7b9ea15751cf"
}
],
"package_integrity": [
{
"filename": "cdktn_provider_newrelic-15.0.5-py3-none-any.whl",
"hashes": {
"blake2b_256": "40d0b6d9bd0520606f5ec59a2c42325b525f06dd890737dd136a4ac27e35fb5d",
"md5": "f9fde7baef3f5c45e666ea8048dd4988",
"sha256": "79a9bb8d87392b035cd8fb4337fba9997b5e431be914d73f5b6a5d82c40d69fa"
}
},
{
"filename": "cdktn_provider_newrelic-15.0.5.tar.gz",
"hashes": {
"blake2b_256": "91c5ac4f4dcaa64c48dcc2894d97d5b65f3286b6fdea6f2bb7791367b329532b",
"md5": "bd2a33c24a5a2801e6e1b2aecd433018",
"sha256": "acd0f49d7caa60b877cdb4e4c9b2920316c1d47c5f05e210538af05a7ca55eab"
}
}
]
}
},
"package": {
"ecosystem": "PyPI",
"name": "cdktn-provider-newrelic"
},
"versions": [
"15.0.5"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004924",
"import_time": "2026-05-26T16:47:31.406727201Z",
"modified_time": "2026-05-26T15:08:38Z",
"sha256": "51996ccf23fd3d3b291f945e2ec88504c93d7e302e183c7633632b8a03d1590d",
"source": "amazon-inspector",
"versions": [
"15.0.5"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (51996ccf23fd3d3b291f945e2ec88504c93d7e302e183c7633632b8a03d1590d)\nPackage name \u0027cdktn-provider-newrelic\u0027 is a single-character edit (cdktf\u2192cdktn) of HashiCorp\u0027s official \u0027cdktf-provider-newrelic\u0027 (CDK for Terraform NewRelic provider bindings). The package replicates the target\u0027s full API surface \u2014 80+ Terraform resource modules including alert_policy, nrql_alert_condition, and synthetics_* \u2014 and rebrands \u0027CDK for Terraform (cdktf)\u0027 as \u0027CDK Terrain (cdktn)\u0027 across the README and metadata, with a fabricated homepage (cdktn.io) and GitHub org (cdktn-io / open-constructs). setup.py declares install_requires of \u0027cdktn\u003e=0.23.0,\u003c0.24.0\u0027 \u2014 itself a typosquat of HashiCorp\u0027s \u0027cdktf\u0027 runtime \u2014 so a developer who mistypes the package name during `pip install` silently pulls a sibling typosquat package whose code runs at import time. The combination of a top-tier registry typosquat, full API mimicry to evade detection by would-be users, and a transitive typosquat dependency injected via install_requires constitutes namespace-abuse: the install resolves attacker-controlled code into the developer\u0027s environment under cover of HashiCorp\u0027s published API.\n",
"id": "MAL-2026-4825",
"modified": "2026-05-26T17:27:32Z",
"published": "2026-05-26T15:08:38Z",
"references": [
{
"type": "PACKAGE",
"url": "https://pypi.org/project/cdktn-provider-newrelic/15.0.5/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in cdktn-provider-newrelic (PyPI)",
"withdrawn": "2026-05-26T17:27:32Z"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…