-= Per source details. Do not edit below this line.=-
utils/sendemailotp.py exposes otpEmailService(toemail, emailbody), which authenticates to smtp.gmail.com using a hardcoded sender address (magizhchisk@gmail.com) and a hardcoded Gmail App Password, then calls server.sendmessage on a message whose From: is the author and To: is the caller-supplied recipient with caller-supplied body. Any application that imports this helper sends OTP/notification email FROM the author's personal Gmail account through author-controlled infrastructure, with no way for the caller to supply their own SMTP credentials. The recipient address and message body — installer-side data — are silently routed through the author's mailbox. Additionally, the App Password is redistributed to every installer, so anyone who installs the package can log into the author's Gmail and impersonate the sender to all prior OTP recipients. A secondary issue in utils/auth.py hardcodes SECRETKEY = "nsn" for HS256 JWT signing; any deployment using createaccesstoken/verify_token from this library will issue forgeable tokens since the signing key is shipped publicly.
{
"malicious-packages-origins": [
{
"versions": [
"2.8"
],
"sha256": "0142a19ba91410cc19470321caba04aa48633df937b0ed66439cccf31877a333",
"modified_time": "2026-05-19T20:28:28Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:50:20.280881766Z",
"id": "IN-MAL-2026-003275"
},
{
"versions": [
"2.7"
],
"sha256": "b0c309076131280de80ce34e8edb5e83e7fe13a8f70fa4bf17efe028e5988368",
"source": "amazon-inspector",
"modified_time": "2026-05-19T20:54:41Z",
"import_time": "2026-05-26T05:50:20.701266809Z",
"id": "IN-MAL-2026-003280"
},
{
"versions": [
"2.6"
],
"sha256": "f681f5ad7df2473889efbc6a9b4c12552eedf417288b832324ad70fd3631300d",
"source": "amazon-inspector",
"modified_time": "2026-05-19T20:29:34Z",
"import_time": "2026-05-26T05:50:20.408640406Z",
"id": "IN-MAL-2026-003276"
},
{
"versions": [
"3.4"
],
"sha256": "744bbf51734da7cc07ed1ded040b717a8fa33b77e925df487b68c2d48fcebf30",
"modified_time": "2026-06-12T19:10:35Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:44:16.245778994Z",
"id": "IN-MAL-2026-006174"
},
{
"versions": [
"3.6"
],
"sha256": "8bb5494165201c9ac6b9fb0bee27a9dc10c83e4abd93cb5eb20fab5e834f2468",
"source": "amazon-inspector",
"modified_time": "2026-06-12T19:10:36Z",
"import_time": "2026-06-12T19:44:16.348029683Z",
"id": "IN-MAL-2026-006175"
}
]
}{
"package_integrity": [
{
"filename": "saas_common_lib_473815-2.8-py3-none-any.whl",
"hashes": {
"sha256": "73ccde9c34f90b4b8a57bb7137ea423d01227c961161bfcfe4c1bc2ce4014b73",
"md5": "58e5f84acf72ca6e803fc2dcc1c743a1",
"blake2b_256": "936914c6ceccb06703af3fdaf3269d25c2f5dbdc6675438cb095956176e77739"
}
},
{
"filename": "saas_common_lib_473815-2.8.tar.gz",
"hashes": {
"sha256": "f8badac526954dc92b0b71b2c70f9c4a820535422e2b57fbed07931b17e23cd1",
"md5": "a3ec3e4f292bb93b08093f677d360930",
"blake2b_256": "43bef89aaf2d2761033553b42abd08e8964792fa1b58c2b0485bf6c246c03cb4"
}
}
],
"evidence_files": [
{
"sha256": "b3f723a83b97de6ad4a50aa2fc9cb76a495ce1ff8d334b3294d8ddfad2a8a4ce",
"path": "utils/send_email_otp.py",
"tlsh": "82017b315ecb20a685b6d017f8a1a161e7af1a131e7c685072ec001a2f75c1af4a01fb"
},
{
"sha256": "7a7cb60c02cded57c6fc29c655b66042c682ad501e40cce9b840d630d69aa684",
"path": "utils/auth.py",
"tlsh": "51c16eac0cbbb0429536c5a8d9b59409e737a683bd273842344cc3ec7ff9058e27921c"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/saas-common-lib-473815/MAL-2026-4766.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]