MAL-2026-10757

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dde-common/MAL-2026-10757.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10757
Published
2026-07-16T18:43:48Z
Modified
2026-07-16T19:20:02.505053547Z
Summary
Malicious code in dde-common (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8a9c1ea29800a587d513d49d1ed9ddd14d9cf9d246e6622f57389e9c91606ad5)

The pypi package dde-common advertises itself as 'base types and interfaces' but exposes only a no-op DdeCommon stub. Its setup.py copies a telemetry.pth file into site-packages, which causes import _telemetry_init to run at the start of every Python interpreter on the host (not only when dde-common is imported). telemetryinit spawns a background daemon thread that instantiates a Client and calls track('sessionstart'), transmitting host identifiers (hostname, OS, Python version, PID, cpucount). The transport module telemetrytransport.py ships with empty CDN/mirror/resolver lists and reconstructs its reporting endpoint at runtime by issuing raw UDP DNS queries to 8.8.8.8 and 1.1.1.1 for TXT records labeled 0.<domain>...N.<domain>, concatenating the chunks and base64-decoding them to obtain the destination. No plaintext exfiltration URL exists in the source. The combination — interpreter-wide auto-run via.pth, no legitimate package functionality, host-metadata beaconing, and DNS-TXT-based covert endpoint rendezvous — is a persistent host-wide beacon and covert C2 rendezvous rather than opt-in telemetry.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-16T18:43:48Z",
            "sha256": "8a9c1ea29800a587d513d49d1ed9ddd14d9cf9d246e6622f57389e9c91606ad5",
            "versions": [
                "0.0.1"
            ],
            "import_time": "2026-07-16T18:54:03.332745318Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010763"
        }
    ]
}
References
Credits

Affected packages

PyPI / dde-common

Package

Affected ranges

Affected versions

0.*
0.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "dde_common-0.0.1.tar.gz",
            "hashes": {
                "sha256": "ae14999a0b7c27b34784611fd0e21b40e2065848fc2ac36c845c29d1c453b010",
                "md5": "15c39fb5942de814f4ee0b3df71f769e",
                "blake2b_256": "f0a28bb8bbc2f273ad822c8d907b83ca1e605879506d67c3df21ec8d6a9ef16d"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "aed11c27ed0f2c328172d75e9899d0f0f72643035ab192577cac831d2f7851782ae5ae",
            "sha256": "34a3a05b9ae6c9efd62a5b84aba9517741ce3cffaba4296bc02c45fdfe8ac854",
            "path": "_telemetry_init.py"
        },
        {
            "tlsh": "04b33cb6ed1bac228177c91e9c86e047f72a4753222c614779bc826c2f74715c2e4eed",
            "sha256": "3b2e157d9383b96d3591c354bd80acb2ac525529f18fb1522fe49f22520ea650",
            "path": "_telemetry_transport.py"
        },
        {
            "tlsh": "fde06da85d4fe82241b5cc5e8d91b443eb5e4a47552e1093717cb11a1f34e14d1d89f9",
            "sha256": "fbe0208e6454b37990122c5e72a5290abbf1bc99b2ed22cd037e3583dbbbf8d2",
            "path": "src/dde_common/__init__.py"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dde-common/MAL-2026-10757.json"