-= Per source details. Do not edit below this line.=-
The pypi package dde-common advertises itself as 'base types and interfaces' but exposes only a no-op DdeCommon stub. Its setup.py copies a telemetry.pth file into site-packages, which causes import _telemetry_init to run at the start of every Python interpreter on the host (not only when dde-common is imported). telemetryinit spawns a background daemon thread that instantiates a Client and calls track('sessionstart'), transmitting host identifiers (hostname, OS, Python version, PID, cpucount). The transport module telemetrytransport.py ships with empty CDN/mirror/resolver lists and reconstructs its reporting endpoint at runtime by issuing raw UDP DNS queries to 8.8.8.8 and 1.1.1.1 for TXT records labeled 0.<domain>...N.<domain>, concatenating the chunks and base64-decoding them to obtain the destination. No plaintext exfiltration URL exists in the source. The combination — interpreter-wide auto-run via.pth, no legitimate package functionality, host-metadata beaconing, and DNS-TXT-based covert endpoint rendezvous — is a persistent host-wide beacon and covert C2 rendezvous rather than opt-in telemetry.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-16T18:43:48Z",
"sha256": "8a9c1ea29800a587d513d49d1ed9ddd14d9cf9d246e6622f57389e9c91606ad5",
"versions": [
"0.0.1"
],
"import_time": "2026-07-16T18:54:03.332745318Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010763"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "dde_common-0.0.1.tar.gz",
"hashes": {
"sha256": "ae14999a0b7c27b34784611fd0e21b40e2065848fc2ac36c845c29d1c453b010",
"md5": "15c39fb5942de814f4ee0b3df71f769e",
"blake2b_256": "f0a28bb8bbc2f273ad822c8d907b83ca1e605879506d67c3df21ec8d6a9ef16d"
}
}
],
"evidence_files": [
{
"tlsh": "aed11c27ed0f2c328172d75e9899d0f0f72643035ab192577cac831d2f7851782ae5ae",
"sha256": "34a3a05b9ae6c9efd62a5b84aba9517741ce3cffaba4296bc02c45fdfe8ac854",
"path": "_telemetry_init.py"
},
{
"tlsh": "04b33cb6ed1bac228177c91e9c86e047f72a4753222c614779bc826c2f74715c2e4eed",
"sha256": "3b2e157d9383b96d3591c354bd80acb2ac525529f18fb1522fe49f22520ea650",
"path": "_telemetry_transport.py"
},
{
"tlsh": "fde06da85d4fe82241b5cc5e8d91b443eb5e4a47552e1093717cb11a1f34e14d1d89f9",
"sha256": "fbe0208e6454b37990122c5e72a5290abbf1bc99b2ed22cd037e3583dbbbf8d2",
"path": "src/dde_common/__init__.py"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dde-common/MAL-2026-10757.json"