MAL-2026-4766

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/saas-common-lib-473815/MAL-2026-4766.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4766
Withdrawn
2026-06-13T01:41:13Z
Published
2026-05-19T20:28:28Z
Modified
2026-06-15T00:15:55.966658861Z
Summary
Malicious code in saas-common-lib-473815 (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0142a19ba91410cc19470321caba04aa48633df937b0ed66439cccf31877a333)

utils/sendemailotp.py exposes otpEmailService(toemail, emailbody), which authenticates to smtp.gmail.com using a hardcoded sender address (magizhchisk@gmail.com) and a hardcoded Gmail App Password, then calls server.sendmessage on a message whose From: is the author and To: is the caller-supplied recipient with caller-supplied body. Any application that imports this helper sends OTP/notification email FROM the author's personal Gmail account through author-controlled infrastructure, with no way for the caller to supply their own SMTP credentials. The recipient address and message body — installer-side data — are silently routed through the author's mailbox. Additionally, the App Password is redistributed to every installer, so anyone who installs the package can log into the author's Gmail and impersonate the sender to all prior OTP recipients. A secondary issue in utils/auth.py hardcodes SECRETKEY = "nsn" for HS256 JWT signing; any deployment using createaccesstoken/verify_token from this library will issue forgeable tokens since the signing key is shipped publicly.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.8"
            ],
            "sha256": "0142a19ba91410cc19470321caba04aa48633df937b0ed66439cccf31877a333",
            "modified_time": "2026-05-19T20:28:28Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:20.280881766Z",
            "id": "IN-MAL-2026-003275"
        },
        {
            "versions": [
                "2.7"
            ],
            "sha256": "b0c309076131280de80ce34e8edb5e83e7fe13a8f70fa4bf17efe028e5988368",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T20:54:41Z",
            "import_time": "2026-05-26T05:50:20.701266809Z",
            "id": "IN-MAL-2026-003280"
        },
        {
            "versions": [
                "2.6"
            ],
            "sha256": "f681f5ad7df2473889efbc6a9b4c12552eedf417288b832324ad70fd3631300d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-19T20:29:34Z",
            "import_time": "2026-05-26T05:50:20.408640406Z",
            "id": "IN-MAL-2026-003276"
        },
        {
            "versions": [
                "3.4"
            ],
            "sha256": "744bbf51734da7cc07ed1ded040b717a8fa33b77e925df487b68c2d48fcebf30",
            "modified_time": "2026-06-12T19:10:35Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-12T19:44:16.245778994Z",
            "id": "IN-MAL-2026-006174"
        },
        {
            "versions": [
                "3.6"
            ],
            "sha256": "8bb5494165201c9ac6b9fb0bee27a9dc10c83e4abd93cb5eb20fab5e834f2468",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:10:36Z",
            "import_time": "2026-06-12T19:44:16.348029683Z",
            "id": "IN-MAL-2026-006175"
        }
    ]
}
References
Credits

Affected packages

PyPI / saas-common-lib-473815

Package

Name
saas-common-lib-473815
View open source insights on deps.dev
Purl
pkg:pypi/saas-common-lib-473815

Affected ranges

Affected versions

2.*
2.6
2.7
2.8
3.*
3.4
3.6

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "saas_common_lib_473815-2.8-py3-none-any.whl",
            "hashes": {
                "sha256": "73ccde9c34f90b4b8a57bb7137ea423d01227c961161bfcfe4c1bc2ce4014b73",
                "md5": "58e5f84acf72ca6e803fc2dcc1c743a1",
                "blake2b_256": "936914c6ceccb06703af3fdaf3269d25c2f5dbdc6675438cb095956176e77739"
            }
        },
        {
            "filename": "saas_common_lib_473815-2.8.tar.gz",
            "hashes": {
                "sha256": "f8badac526954dc92b0b71b2c70f9c4a820535422e2b57fbed07931b17e23cd1",
                "md5": "a3ec3e4f292bb93b08093f677d360930",
                "blake2b_256": "43bef89aaf2d2761033553b42abd08e8964792fa1b58c2b0485bf6c246c03cb4"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "b3f723a83b97de6ad4a50aa2fc9cb76a495ce1ff8d334b3294d8ddfad2a8a4ce",
            "path": "utils/send_email_otp.py",
            "tlsh": "82017b315ecb20a685b6d017f8a1a161e7af1a131e7c685072ec001a2f75c1af4a01fb"
        },
        {
            "sha256": "7a7cb60c02cded57c6fc29c655b66042c682ad501e40cce9b840d630d69aa684",
            "path": "utils/auth.py",
            "tlsh": "51c16eac0cbbb0429536c5a8d9b59409e737a683bd273842344cc3ec7ff9058e27921c"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/saas-common-lib-473815/MAL-2026-4766.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]