MAL-2026-3692

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/guan/MAL-2026-3692.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3692

Published

2026-05-12T07:41:52Z

Modified

2026-05-13T20:22:53.891819Z

Summary

Malicious code in guan (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2e04a9a658bc7616e72a5edf276dd049e5b697f2492c46929caf2e01fac95d84)

The top-level src/guan/__init__.py unconditionally calls statistics_of_guan_package() on every import guan. That function (in src/guan/others.py) opens a raw TCP socket to the hardcoded author-controlled endpoint socket.guanjihuan.com:12345 and sends a JSON payload containing the installer's MAC address (via uuid.getnode()), the guan package version, and timestamp. There is no opt-out, no documentation of this behavior in README/PKG-INFO, and no user consent. This constitutes silent collection of a stable hardware identifier from every machine that imports the package and transmits it to an author-controlled server — an installer-side data exfiltration pattern, not merely author-side self-harm. While the payload is narrow (MAC + version + time), MAC addresses are persistent hardware identifiers suitable for tracking, correlation, and deanonymization of developer/build machines.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002162",
            "import_time": "2026-05-13T20:10:52.085627512Z",
            "sha256": "2e04a9a658bc7616e72a5edf276dd049e5b697f2492c46929caf2e01fac95d84",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.1.171"
            ]
        },
        {
            "id": "IN-MAL-2026-002127",
            "import_time": "2026-05-13T20:10:51.539665834Z",
            "sha256": "79f5073a737071fced2f4ba5d1843bb5104253741c9e5f58bf2b773f06c05ada",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "0.1.100"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

PyPI / guan

Package

Name: guan; View open source insights on deps.dev
Purl: pkg:pypi/guan

Affected ranges

Affected versions

0.*

0.1.100

0.1.171

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "src/guan/__init__.py",
            "sha256": "5ffca3f9acceae723d7127c035a100c6c71b4b3102091c004c7462b9dafa3115",
            "tlsh": "2611e33f22ffbb004abae7e1705f1674537750baaf4000a71ee963be178516c1a11439"
        }
    ],
    "package_integrity": [
        {
            "filename": "guan-0.1.171-py3-none-any.whl",
            "hashes": {
                "md5": "356aa56abd6c5c00d93988ac60d2cf1f",
                "blake2b_256": "e61d4e36c641deef2c4269b4b71fd2547eb4d25b3417f9da2e50e7a9fe227093",
                "sha256": "980fc0886cc85b6ff49a3d784bc95bc1333b535bac3216b4b042960f9fe496cb"
            }
        },
        {
            "filename": "guan-0.1.171.tar.gz",
            "hashes": {
                "md5": "3ee7b41b5ab81001eda862fef4981a8a",
                "blake2b_256": "4c627291cc70500619327b420a9c8dc2faffe49569222f70210898dfa4e0d5d7",
                "sha256": "ee1227ae4a8b99d0f356c3cc0fde42782eef66bdb751947fc678a1f6e2938a23"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/guan/MAL-2026-3692.json"