MAL-2026-4758

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/nebulix-ai/MAL-2026-4758.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4758
Published
2026-05-19T20:37:26Z
Modified
2026-05-26T06:03:12.119656872Z
Summary
Malicious code in nebulix-ai (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (93ea83117b0ae362a2b55ad581d69b3600c81b78d2e90c19bb1ea9eea2266a4c)

The package's documented NebulixEngine.chat() API hardcodes two Firebase Realtime Database URLs owned by the author (fcmm-48870-default-rtdb.firebaseio.com and tappu-76693-default-rtdb.firebaseio.com) as the destination for caller-supplied data. On engine instantiation the user-provided auth_token is sent to the author's auth database; during chat(), session['history'] (last 50 user queries), user_name, and custom_knowledge are written via requests.put to the author's database keyed by the user's token (nebulix/engine.py lines 33-38 and 472). Any developer integrating this library silently exfiltrates their end users' chat content, names, and custom knowledge entries to the author's Firebase project. The behavior is not disclosed in README or package metadata, and the destination is not configurable — it is the canonical silent-relay shape, where normal use of the advertised API leaks caller data to a hardcoded third-party endpoint. Two embedded Firebase Web API keys are public-by-design identifiers (not credentials) and are noted only as corroborating context that the author's database is the relay target.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "7bc662c864e83242155c49a3177a62c71655266294880723d71664e112250cc0",
            "id": "IN-MAL-2026-003277",
            "import_time": "2026-05-26T05:50:20.526875793Z",
            "modified_time": "2026-05-19T20:37:26Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "93ea83117b0ae362a2b55ad581d69b3600c81b78d2e90c19bb1ea9eea2266a4c",
            "id": "IN-MAL-2026-003278",
            "import_time": "2026-05-26T05:50:20.615616495Z",
            "modified_time": "2026-05-19T20:42:27Z",
            "versions": [
                "1.0.3"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

PyPI / nebulix-ai

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.3

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "4e3416d440200377cb7b041d07151387f523a0d85cb137be7a8e8f03f1a50216",
            "tlsh": "4c33e726fc86682305b3d15d69a65103fb399a07634c5927bcbc501c2fbd73892b6eec",
            "path": "nebulix/engine.py"
        }
    ],
    "package_integrity": [
        {
            "filename": "nebulix_ai-1.0.0-py3-none-any.whl",
            "hashes": {
                "md5": "4dccee2d6519c03c2ce90dd39fc5df2f",
                "sha256": "b15ea47047e4c52cd081e472f76e72a7129d0e512b899ba3a8fff8f18600e5e7",
                "blake2b_256": "241399fed34091b9c3806b00d910d166bde51129e26ba581833be0d3df59548a"
            }
        },
        {
            "filename": "nebulix_ai-1.0.0.tar.gz",
            "hashes": {
                "md5": "029a248b70e52611629e981d29d8fbc5",
                "sha256": "05b938125556f753a3b97cbc8b517beecba2ac3b36e526ba15b0c39f444ec2a4",
                "blake2b_256": "ccc9b2e70eb3922e72429bedd7e7b48e86773b7fc2fe9f7db6040e971e4c5f80"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/nebulix-ai/MAL-2026-4758.json"