MAL-2026-3689
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dcchbot/MAL-2026-3689.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3689
- Published
- 2026-05-12T07:42:11Z
- Modified
- 2026-05-13T20:22:39.178129Z
- Summary
- Malicious code in dcchbot (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (df79831d1b486c8ca704295b410cec7b66be85aa87c3244d97ff1e87f643183a)
The package performs multiple installer-hostile behaviors. (1) dcchbot/init.py auto-invokes run() on import, which triggers interactive input() prompts and an outbound HTTPS GET to a non-PyPI third-party domain (https://evan0708.rf.gd/pypi-backup/json) — any import (including by IDEs, linters, or dependency scanners) blocks on stdin and beacons to attacker-controlled infrastructure. (2) main.py reads
data['info']['version']from that rf.gd endpoint and later uses the value directly insideos.system(f'pip install dcchbot=={latest_version}')in the/bot-updateslash handler; a crafted response (e.g. containing shell metacharacters) yields arbitrary command execution on the installer's host. The rf.gd free-subdomain pattern can also be re-registered by third parties if the account lapses, making this a latent RCE channel. (3) main.py hardcodesCODER_ID = 1317800611441283139and authorizes that Discord user ID inside/op,/stop,/token, and/bot-updatehandlers in addition to the installer's OWNER_ID — the package author can, on any Discord server where an installer's bot is present, leak the bot token (/tokensendsbot._token), grant themselves administrator, or trigger the vulnerable update command. This is direct installer-side harm: token exfiltration, privilege escalation on the installer's Discord servers, and remote shell command execution driven by an external URL. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-12T19:03:07Z", "versions": [ "1.9.4" ], "sha256": "3a40a14434df3a61756624968ed85c2ea55ae3298fde23de5099c530089fd7b0", "id": "IN-MAL-2026-002150", "source": "amazon-inspector", "import_time": "2026-05-13T20:10:52.026857661Z" }, { "modified_time": "2026-05-12T19:03:07Z", "versions": [ "1.9.1" ], "sha256": "60ff0446b42a79933bc212e1600a36b572d60635fbfd6f69f9881b54ad7f4c18", "id": "IN-MAL-2026-002149", "source": "amazon-inspector", "import_time": "2026-05-13T20:10:51.952480244Z" }, { "modified_time": "2026-05-12T19:03:07Z", "versions": [ "1.8.3" ], "sha256": "c995da3f467f406ccbbc6314be0fcfc0f01b212c54bf3add01207e1d1fba6626", "id": "IN-MAL-2026-002147", "source": "amazon-inspector", "import_time": "2026-05-13T20:10:51.87454839Z" }, { "modified_time": "2026-05-12T19:03:07Z", "versions": [ "1.9" ], "sha256": "df79831d1b486c8ca704295b410cec7b66be85aa87c3244d97ff1e87f643183a", "id": "IN-MAL-2026-002148", "source": "amazon-inspector", "import_time": "2026-05-13T20:10:51.913332115Z" }, { "modified_time": "2026-05-12T19:03:07Z", "versions": [ "1.8.1" ], "sha256": "ff481b1e845b1c26503b21dc505660af654baf24f7250391c2a59357e3611425", "id": "IN-MAL-2026-002146", "source": "amazon-inspector", "import_time": "2026-05-13T20:10:51.812957037Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
PyPI / dcchbot
Package
- Name
- dcchbot
- View open source insights on deps.dev
- Purl
- pkg:pypi/dcchbot
Database specific
indicators
{
"domains": [
"evan0708.rf.gd",
"evil"
],
"evidence_files": [
{
"sha256": "93edcce4d7529dde63786c450acfd0ad389e9b9848c43f75b87bf3ff4cf0ac26",
"tlsh": "eac230228daf2c35617bc14c5523d101f330a14b756d6063b9ac72a48ffd985a4eaff9",
"path": "dcchbot/main.py"
},
{
"sha256": "4ee4111ad483f19f1678d0ad96fab3f9f571876652f3b41298de150897a7b74b",
"tlsh": "fcb02b1630170131459c4184c20031310b5200d4187711520309953e84c20c04e101f6",
"path": "dcchbot/__init__.py"
}
],
"urls": [
"https://evan0708.rf.gd/pypi-backup/json",
"http://evil/sh"
],
"package_integrity": [
{
"hashes": {
"blake2b_256": "25b2ea7a4eefcd1c966d8816fb7cfddf483f51cc6760186395f9bdc4a92cd67f",
"md5": "ef868370522d852f3ca33fee985cedc6",
"sha256": "266a6d334484859361a2e943b946f8450855113f4809821508d8d5c3d7d1161d"
},
"filename": "dcchbot-1.9.4-py3-none-any.whl"
},
{
"hashes": {
"blake2b_256": "346cca31844600b1caa4a3ba82be6301ff0da3744911235eeb7891244da10448",
"md5": "dd4a5c1305afd86d9395aa3108450d1a",
"sha256": "378488015e8fac7cfcbe5c4b45e025d57ce0506b24988cd7ab1153487039b082"
},
"filename": "dcchbot-1.9.4.tar.gz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dcchbot/MAL-2026-3689.json"