-= Per source details. Do not edit below this line.=-
darkglitch 1.2.0 ships a listener mode (-l -c) that opens a WebSocket connection to the hardcoded signaling host https://malware-signal.vercel.app/ and joins the fixed room D4RKGLI7CH. Incoming remote-command messages are passed directly into subprocess.run(command, shell=True) inside _execute_command, giving any party with access to that signaling server arbitrary shell execution on the host running the listener. core/config.py hardcodes the host and room. The -r/--run mode invokes PyInstaller with --noconsole --onefile to build darkglitch_listener.exe, a windowless Windows agent whose entry point immediately calls asyncio.run(listen_bash_mode()), packaging the same remote-shell listener as a hidden persistent agent. The self-labeling of the host as malware-signal.vercel.app and the room as D4RKGLI7CH matches the operational shape of a remote-access trojan.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-16T18:43:08Z",
"sha256": "6d02eb8be388433532783a7bf88864824b50756b7ced4f8728721866740c5df1",
"versions": [
"1.2.0"
],
"import_time": "2026-07-16T18:54:03.060429874Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010758"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "darkglitch-1.2.0-py3-none-any.whl",
"hashes": {
"sha256": "c216762c6f26c96dca1abddc755209faa25333b94f90e0299065a63013fe181f",
"md5": "c1c4ae29bbf2b29c0939b20b4e4ead4c",
"blake2b_256": "c879c44ed1ab8914613126df674f751601713f1774dc647643c42bacc0967b64"
}
},
{
"filename": "darkglitch-1.2.0.tar.gz",
"hashes": {
"sha256": "28e7cadb2ede0b6852027769fb6072e8af2634175304ea22adc08de08e684ed9",
"blake2b_256": "9b8a7b6f1367bf24684cc67880b11b17bb702134f9de31d757b9910cac058c22",
"md5": "fa94b3faf1d48c41e07aada064153bc7"
}
}
],
"evidence_files": [
{
"tlsh": "3af115d589be5c15c2875099a8a6b3521101bb032f08357a7dec76a81f4c32ad5b4fde",
"sha256": "6ab028325a6c5f179e95351eb30fcf0e53c09bbde826bac31cc0a50435a8f472",
"path": "command_injection/injector.py"
},
{
"tlsh": "25a012632325407501498c44c007f80c730573686481025064011c49d9105d00392101",
"sha256": "0f7e2a4880c8807b0ad1212de92751b2f6c031cd6cc4bea80a07ec2e9a27ea8d",
"path": "core/config.py"
},
{
"tlsh": "9a41512aca356e7106c3ca5e68b303d3c556d01709d0312534dec7982f9ba8e4276bed",
"sha256": "5768ef6be70ecad0c0babae00a11c850915399f0c1895b6982d87a122311f1e1",
"path": "command/run/build_exe.py"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/darkglitch/MAL-2026-10756.json"