MAL-2026-10618

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cosmos-gradio/MAL-2026-10618.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10618
Published
2026-07-14T20:06:55Z
Modified
2026-07-15T05:20:20.129698961Z
Summary
Malicious code in cosmos-gradio (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9bf1266e0846a392e9aaa6805756d26dc427a04415e8a422d53ffce7a1a0c2e2)

cosmos-gradio 9999.0.0 is a dependency-confusion squat published as an sdist-only release with an intentionally inflated version to win highest-version resolution on installers that mix a private index with PyPI. setup.py (executed at sdist build/install) and cosmos_gradio/init.py (executed on import) run the same beacon that collects the installer's hostname, OS username, and current working directory and transmits them to the hardcoded domain oob.asyncrun.in via two channels: (1) a DNS lookup where the '<hostname>|<user>' pair is base32-encoded into a subdomain label under oob.asyncrun.in (out-of-band DNS exfiltration that works even when HTTP egress is blocked), and (2) an HTTP GET carrying the same fields as query-string parameters, with HTTPS attempted first and a plaintext-HTTP fallback. The package name collides with a plausible internal 'cosmos-gradio' package and the release is sdist-only specifically to force setup.py execution on pip install.

Source: kam193 (4d4ef10feeb0a6a16e38e35a866181dda9f270340238049becb9532b4dce2841)

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.


Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

  • The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

  • The package overrides the install command in setup.py to execute malicious code during installation.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-14T20:08:19.009662Z",
            "source": "kam193",
            "import_time": "2026-07-14T20:28:26.769516551Z",
            "id": "pypi/GENERIC-standard-pypi-install-pentest/cosmos-gradio",
            "versions": [
                "9999.0.0",
                "9999.0.1"
            ],
            "sha256": "4d4ef10feeb0a6a16e38e35a866181dda9f270340238049becb9532b4dce2841"
        },
        {
            "modified_time": "2026-07-14T21:33:34Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-14T21:49:52.951251501Z",
            "id": "IN-MAL-2026-010569",
            "versions": [
                "9999.0.0"
            ],
            "sha256": "9bf1266e0846a392e9aaa6805756d26dc427a04415e8a422d53ffce7a1a0c2e2"
        }
    ]
}
References
Credits

Affected packages

PyPI / cosmos-gradio

Package

Affected ranges

Affected versions

9999.*
9999.0.0
9999.0.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "cosmos_gradio-9999.0.0.tar.gz",
            "hashes": {
                "md5": "758a2a119b9b16403f02d33d36707dde",
                "blake2b_256": "24c8edd2d571c99ae1f3180a07f68cb9d67cc302cb06fb0318098e6713a45534",
                "sha256": "5a7301312d77a63e9e0f26058519bdcc0588846d148fccde5c633663d2295cc8"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "94515513a42124b7e087a4d85971b6f5f332e52b6f02a538badcc3846fce4b5c2a7954",
            "path": "setup.py",
            "sha256": "1e893e675b8ca390fe10afd9b8e93eaf9a08cb204f89f5ef12f57840bb97be84"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cosmos-gradio/MAL-2026-10618.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]