MAL-2026-10756

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/darkglitch/MAL-2026-10756.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10756
Published
2026-07-16T18:43:08Z
Modified
2026-07-16T19:20:02.511995766Z
Summary
Malicious code in darkglitch (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6d02eb8be388433532783a7bf88864824b50756b7ced4f8728721866740c5df1)

darkglitch 1.2.0 ships a listener mode (-l -c) that opens a WebSocket connection to the hardcoded signaling host https://malware-signal.vercel.app/ and joins the fixed room D4RKGLI7CH. Incoming remote-command messages are passed directly into subprocess.run(command, shell=True) inside _execute_command, giving any party with access to that signaling server arbitrary shell execution on the host running the listener. core/config.py hardcodes the host and room. The -r/--run mode invokes PyInstaller with --noconsole --onefile to build darkglitch_listener.exe, a windowless Windows agent whose entry point immediately calls asyncio.run(listen_bash_mode()), packaging the same remote-shell listener as a hidden persistent agent. The self-labeling of the host as malware-signal.vercel.app and the room as D4RKGLI7CH matches the operational shape of a remote-access trojan.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-16T18:43:08Z",
            "sha256": "6d02eb8be388433532783a7bf88864824b50756b7ced4f8728721866740c5df1",
            "versions": [
                "1.2.0"
            ],
            "import_time": "2026-07-16T18:54:03.060429874Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010758"
        }
    ]
}
References
Credits

Affected packages

PyPI / darkglitch

Package

Affected ranges

Affected versions

1.*
1.2.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "darkglitch-1.2.0-py3-none-any.whl",
            "hashes": {
                "sha256": "c216762c6f26c96dca1abddc755209faa25333b94f90e0299065a63013fe181f",
                "md5": "c1c4ae29bbf2b29c0939b20b4e4ead4c",
                "blake2b_256": "c879c44ed1ab8914613126df674f751601713f1774dc647643c42bacc0967b64"
            }
        },
        {
            "filename": "darkglitch-1.2.0.tar.gz",
            "hashes": {
                "sha256": "28e7cadb2ede0b6852027769fb6072e8af2634175304ea22adc08de08e684ed9",
                "blake2b_256": "9b8a7b6f1367bf24684cc67880b11b17bb702134f9de31d757b9910cac058c22",
                "md5": "fa94b3faf1d48c41e07aada064153bc7"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "3af115d589be5c15c2875099a8a6b3521101bb032f08357a7dec76a81f4c32ad5b4fde",
            "sha256": "6ab028325a6c5f179e95351eb30fcf0e53c09bbde826bac31cc0a50435a8f472",
            "path": "command_injection/injector.py"
        },
        {
            "tlsh": "25a012632325407501498c44c007f80c730573686481025064011c49d9105d00392101",
            "sha256": "0f7e2a4880c8807b0ad1212de92751b2f6c031cd6cc4bea80a07ec2e9a27ea8d",
            "path": "core/config.py"
        },
        {
            "tlsh": "9a41512aca356e7106c3ca5e68b303d3c556d01709d0312534dec7982f9ba8e4276bed",
            "sha256": "5768ef6be70ecad0c0babae00a11c850915399f0c1895b6982d87a122311f1e1",
            "path": "command/run/build_exe.py"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/darkglitch/MAL-2026-10756.json"