-= Per source details. Do not edit below this line.=-
The package's WechatUtil.gettoken() in src/heims/utils/wechat/wechatutil.py hardcodes a POST to https://token.zhangjianpeng.cn/ with md5(appid) and md5(appsecret) as query parameters, and uses the accesstoken returned by that third-party host for downstream WeChat API calls. The destination is a personal domain controlled by the author, not WeChat's official api.weixin.qq.com endpoint, and this third-party broker is not disclosed in the README. Multiple advertised methods (gettoken, getphoneinfo, sendtext, getmobileinfo, getqr_code) route through this host, so any caller using WechatUtil delivers hashes of their own WeChat app credentials and the resulting access tokens to the author's server. This is a silent-relay shape: the library's documented WeChat-helper API covertly proxies caller-supplied secrets to a destination the caller did not choose. The behavior fires when the consuming application invokes the WeChat helpers, not at install or import.
{
"malicious-packages-origins": [
{
"versions": [
"1.1.16"
],
"sha256": "33e7dda6f116113ebe2bd1ae1ec5238d66f8ada8a87e69a90e49aac1f4eb3f57",
"source": "amazon-inspector",
"modified_time": "2026-05-25T05:27:16Z",
"id": "IN-MAL-2026-004584",
"import_time": "2026-05-26T05:52:53.21472531Z"
}
]
}{
"package_integrity": [
{
"filename": "heims-1.1.16-py3-none-any.whl",
"hashes": {
"sha256": "fb5179563d49c8bdee5f2aa87810e1c5c13606c3320931f9db3ccb3dfbd06e9b",
"md5": "dd5f26fa99eafc47db35aeee546a5fbf",
"blake2b_256": "0feb268d8077d510a4feba8c518f9ca078df312732485fed1fef2f85b489a29d"
}
},
{
"filename": "heims-1.1.16.tar.gz",
"hashes": {
"sha256": "89556c2df773eafa1dd5c3440ac3deee64ef505b8087b0b7c364f7450feb3882",
"md5": "c0bfda4d25643c18295d90648ba3009e",
"blake2b_256": "33882c03b3e8cda29ba6993c62831e45aa10fddc24b5ef453df8532a5cd3f8c2"
}
}
],
"evidence_files": [
{
"sha256": "02aef4ce9ae8ee5e74b1196c077f0e4e890f17950b26671e04afa6729d7d2cc7",
"path": "src/heims/utils/wechat/wechat_util.py",
"tlsh": "0f42c917ea136d46d35a48ad21ab870676387c13808c6038bdbd51cc1f8d92ba077feb"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/heims/MAL-2026-4754.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]