MAL-2026-4755
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mathepy/MAL-2026-4755.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4755
- Published
- 2026-05-21T22:51:51Z
- Modified
- 2026-05-26T06:03:12.132334620Z
- Summary
- Malicious code in mathepy (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (268eeb8db2d704a5b34b2007a25477fdd9f2de3525462f3dd78192aa5d2f95a1)
Package metadata advertises mathepy as a 'Module for Quick Calculations', but the package's importable init.py exposes ~13 top-level functions (askllm, pink, america, iran, momo, dropnull, code, sf, abc, liti, bcd, lc, init, koko) whose bodies each construct a Groq client with a hardcoded gsk* API key and forward the caller-supplied prompt argument to api.groq.com's chat-completions endpoint. For example, src/mathepy/aihelper.py:4 instantiates
Groq(api_key="gsk_m7BJ...")and askllm posts the caller'sprompttoclient.chat.completions.create; analogous code is present in pink.py, america.py, iran.py, momo.py, dropnull.py, code.py, sf.py, abc.py, liti.py, bcd.py, lc.py, koko.py, and init.py, each with a distinct hardcoded gsk_* key. Callers have no way to opt out, the destination is unconfigurable, and the README does not disclose that input is sent to a third-party LLM service. Any developer who imports mathepy and invokes one of these functions silently routes their inputs through the author's Groq account. This is the silent-relay supply-chain shape: a package's advertised API hides a hardcoded outbound destination that exfiltrates caller-supplied data. The hardcoded keys themselves are author-self-harm (anyone can extract and burn the author's Groq quota), but the relay channel they enable is the installer-facing harm. - Database specific
{ "malicious-packages-origins": [ { "sha256": "02b6bdc1d574730d17402a0de0a723bde9a9eae564236b977d64c76669f297d5", "versions": [ "1.2.0" ], "source": "amazon-inspector", "modified_time": "2026-05-21T22:51:51Z", "id": "IN-MAL-2026-004062", "import_time": "2026-05-26T05:51:51.918427305Z" }, { "id": "IN-MAL-2026-004105", "import_time": "2026-05-26T05:51:56.812553923Z", "sha256": "f6c753ce19473103600325f51274a7190eee54e48be1e19c828f2af105eca173", "modified_time": "2026-05-22T00:23:13Z", "source": "amazon-inspector", "versions": [ "3.5.0" ] }, { "sha256": "febe3de1c0fc94c227cd37d422989e447bbaf1cc519dda7979036661bf58f0e2", "versions": [ "4.5.0" ], "source": "amazon-inspector", "modified_time": "2026-05-22T00:23:08Z", "id": "IN-MAL-2026-004102", "import_time": "2026-05-26T05:51:56.512078347Z" }, { "sha256": "10141229d153545990ab1d358689df6c1c927e43195ac5e3c0101caab3179a55", "import_time": "2026-05-26T05:51:56.620741729Z", "source": "amazon-inspector", "modified_time": "2026-05-22T00:23:08Z", "versions": [ "2.5.0" ], "id": "IN-MAL-2026-004103" }, { "id": "IN-MAL-2026-004732", "versions": [ "6.7.0" ], "import_time": "2026-05-26T05:53:10.634050878Z", "modified_time": "2026-05-25T17:31:03Z", "sha256": "268eeb8db2d704a5b34b2007a25477fdd9f2de3525462f3dd78192aa5d2f95a1", "source": "amazon-inspector" }, { "sha256": "41ae6d35f231dc4e14d7c6d44fd6d4a74b65ef671893d798837d3821da3cf9af", "versions": [ "6.6.0" ], "source": "amazon-inspector", "modified_time": "2026-05-25T17:01:59Z", "id": "IN-MAL-2026-004728", "import_time": "2026-05-26T05:53:10.160218268Z" }, { "id": "IN-MAL-2026-004066", "versions": [ "1.0.0" ], "import_time": "2026-05-26T05:51:52.299136038Z", "modified_time": "2026-05-21T22:52:16Z", "sha256": "4e6882d2388d4a50651f1522ff880cb1084aaff474f04b1255e6261d0d886df5", "source": "amazon-inspector" }, { "source": "amazon-inspector", "versions": [ "8.0.0" ], "id": "IN-MAL-2026-004778", "modified_time": "2026-05-25T21:32:29Z", "import_time": "2026-05-26T05:53:15.890903702Z", "sha256": "518048c89b6bba58b224d7f191fa7c68e9e31d8b6376b82794aed6f53a86e52c" }, { "sha256": "83747496974b4c8d5bc9d26f06416df48689cd4ca4793d2a5df8648279647174", "import_time": "2026-05-26T05:53:10.786000733Z", "source": "amazon-inspector", "modified_time": "2026-05-25T17:31:09Z", "versions": [ "6.8.0" ], "id": "IN-MAL-2026-004733" }, { "sha256": "862033605e990d5a982099b7d0cc47621c9df572b2df9a1e20c5a95df787c7f6", "versions": [ "5.5.0" ], "source": "amazon-inspector", "modified_time": "2026-05-22T00:22:58Z", "id": "IN-MAL-2026-004101", "import_time": "2026-05-26T05:51:56.407339841Z" }, { "sha256": "8cd074d98a1fad36ae5f2bc78749db55c19d9cdbdae37aa14b0a766b344b775d", "versions": [ "2.2.0" ], "source": "amazon-inspector", "modified_time": "2026-05-21T23:52:58Z", "id": "IN-MAL-2026-004097", "import_time": "2026-05-26T05:51:55.979834823Z" }, { "sha256": "a3a09863fd16dad4603c0e3f0e1ea20200dd068faf851e261e8609f067cfd7dc", "versions": [ "5.6.0" ], "source": "amazon-inspector", "modified_time": "2026-05-22T00:23:12Z", "id": "IN-MAL-2026-004104", "import_time": "2026-05-26T05:51:56.71759969Z" }, { "source": "amazon-inspector", "versions": [ "7.8.0" ], "id": "IN-MAL-2026-004762", "modified_time": "2026-05-25T19:01:18Z", "import_time": "2026-05-26T05:53:14.036415348Z", "sha256": "b27de99c93386ef2a08633856bd7c51215f1de908c4fddbd40fb3797f12f687e" }, { "id": "IN-MAL-2026-004777", "versions": [ "7.9.0" ], "import_time": "2026-05-26T05:53:15.781904956Z", "modified_time": "2026-05-25T21:02:34Z", "sha256": "f3e83054932030531e5716a59985c086e357d4aa8ee1760ce890449f66d864f1", "source": "amazon-inspector" } ] }- References
-
- https://pypi.org/project/mathepy/1.2.0/
- https://pypi.org/project/mathepy/3.5.0/
- https://pypi.org/project/mathepy/4.5.0/
- https://pypi.org/project/mathepy/2.5.0/
- https://pypi.org/project/mathepy/6.7.0/
- https://pypi.org/project/mathepy/6.6.0/
- https://pypi.org/project/mathepy/1.0.0/
- https://pypi.org/project/mathepy/8.0.0/
- https://pypi.org/project/mathepy/6.8.0/
- https://pypi.org/project/mathepy/5.5.0/
- https://pypi.org/project/mathepy/2.2.0/
- https://pypi.org/project/mathepy/5.6.0/
- https://pypi.org/project/mathepy/7.8.0/
- https://pypi.org/project/mathepy/7.9.0/
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
PyPI / mathepy
Package
- Name
- mathepy
- View open source insights on deps.dev
- Purl
- pkg:pypi/mathepy
Affected versions
1.*
1.0.0
1.2.0
2.*
2.2.0
2.5.0
3.*
3.5.0
4.*
4.5.0
5.*
5.5.0
5.6.0
6.*
6.6.0
6.7.0
6.8.0
7.*
7.8.0
7.9.0
8.*
8.0.0
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mathepy/MAL-2026-4755.json"
indicators
{
"package_integrity": [
{
"filename": "mathepy-1.2.0-py3-none-any.whl",
"hashes": {
"md5": "eacdcb6bbc1165c0cba3b4efc24df57d",
"sha256": "77c393cd7571d39e42e62f6daf81d9057d44087867027cbd0fa04c9cd65e1e90",
"blake2b_256": "19bfa304e14a712870fcca3964c2125d9456cc3c231861989446ac510ae4a478"
}
},
{
"filename": "mathepy-1.2.0.tar.gz",
"hashes": {
"md5": "d46e87e78fcc03c8c8488ebad8234b55",
"sha256": "3d13460ce609cca7c8cbbafd7ab98d9d9fed4834e4bda7e99f800704051503e1",
"blake2b_256": "38591988fdf5ded1107122b48d0912f7b0356e06e7a56082ff71f8de04dd23d0"
}
}
],
"evidence_files": [
{
"sha256": "03b960bee8e48c2b91670ea317a7ebfcdecda5db5acbe5a9d80f4dcb99351bd1",
"tlsh": "3df09525cc64484e07a241aaa6119851707ff41372f070b9f22c54b85fd2e6751e57d7",
"path": "src/mathepy/ai_helper.py"
},
{
"sha256": "5c5e95a41edef2e0096ee9ba2a3c73069d5062519e6a3f7716a4fa71e98c5928",
"tlsh": "21316663de49471903d2907e99589181f278f40b272475a9f87cc24c4fc217adbf97b9",
"path": "src/mathepy/init.py"
}
]
}
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]