MAL-2026-3252

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/gauth-client/MAL-2026-3252.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3252

Published

2026-05-03T21:26:25Z

Modified

2026-05-03T22:02:04.904216Z

Summary

Malicious code in gauth-client (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (aea1fab5eb3b9422c65232e53e79eb71ba3436355601cd61e7a7b0177779df4e)

Package impersonates Google and attempts to exfiltrate various credential files. It also setups PTH file for automated start during Python initialization. In the analyzed version, the exfiltration target was set as localhost suggesting it's not the final code.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-gauth-client

Reasons (based on the campaign):

exfiltration-credentials
impersonation
files-exfiltration

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-03T21:26:25.089879Z",
            "versions": [
                "0.1.0"
            ],
            "sha256": "aea1fab5eb3b9422c65232e53e79eb71ba3436355601cd61e7a7b0177779df4e",
            "id": "pypi/2026-05-gauth-client/gauth-client",
            "source": "kam193",
            "import_time": "2026-05-03T21:47:54.48009955Z"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/gauth-client

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / gauth-client

Package

Name: gauth-client; View open source insights on deps.dev
Purl: pkg:pypi/gauth-client

Affected ranges

Affected versions

0.*

0.1.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/gauth-client/MAL-2026-3252.json"