MAL-2026-4769

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/soundsource/MAL-2026-4769.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4769
Published
2026-05-19T19:52:10Z
Modified
2026-05-26T06:03:15.562847655Z
Summary
Malicious code in soundsource (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e3285c5fec24c01c9c463e85c199934f5a08da7e94277583430a6e3feb274add)

The package's source distribution contains Token.txt at the tarball root holding a live PyPI API token (prefix pypi-AgEIcHlwaS5vcmc...). Anyone who downloads or installs the sdist obtains a credential granting publish rights on PyPI under the author's account, enabling republication of trojaned versions of this package (and any other package within the token's scope) to all downstream installers. Additional quality concerns include a malformed Homepage URL in pyproject.toml (https://https://github.com/...) and a placeholder DEFAULT_BASE_URL pointing at api.soundsource.example.com, indicating an unreviewed publish.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "e3285c5fec24c01c9c463e85c199934f5a08da7e94277583430a6e3feb274add",
            "versions": [
                "0.1.0"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-003268",
            "modified_time": "2026-05-19T19:52:10Z",
            "import_time": "2026-05-26T05:50:19.531091426Z"
        }
    ]
}
References
Credits

Affected packages

PyPI / soundsource

Package

Affected ranges

Affected versions

0.*
0.1.0

Database specific

cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "soundsource-0.1.0-py3-none-any.whl",
            "hashes": {
                "blake2b_256": "5f0243d8442851fcaf25fddbe25da18269d786cb07b3f2e79135ebe5e654abfe",
                "md5": "fcbbbceeb51675abaf0f4da38bfd75dc",
                "sha256": "4be22646789c855bbfb198dae5c7bf5157aff8f45542a53331aa482459c92a8b"
            }
        },
        {
            "filename": "soundsource-0.1.0.tar.gz",
            "hashes": {
                "blake2b_256": "9a84d0c611a2482125d5be4f4ef1eddce3f1ebc250f4d9b753154421466d8ff1",
                "md5": "5b17ec51d5f30bf2bdc7e9ac456b9ed5",
                "sha256": "0337a492b64e9755489103cea356705df16259e05bc1aba5f939fd960b631050"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "Token.txt",
            "sha256": "f000a23149d74c170ddb282dfdfd70316a69fe10996f0d4cc370fb2279735ad5",
            "tlsh": "8dc022371820924a20c430c6889c752cb141f5f10c0212c268d9d5b8f4445c02159081"
        },
        {
            "path": "pyproject.toml",
            "sha256": "af82d66f5f3f742e1458d1a380af24ec41230fcc382ddf908b63dc992d94130a",
            "tlsh": "cf310df3c9c62eb98ab110a0506a0e41f671511f764804eeb9f7824d1b38ebb84bcc29"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/soundsource/MAL-2026-4769.json"