MAL-2026-4795

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/massive/MAL-2026-4795.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4795
Withdrawn
2026-05-26T21:29:31Z
Published
2026-05-26T09:10:52Z
Modified
2026-05-27T00:32:13.689980164Z
Summary
Malicious code in massive (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (02d8dea3e47a2bd45fc796f33fc582956aec2be887add9672fd5eccc91c2135d)

Package self-describes as the 'Official Massive (formerly Polygon.io) REST and Websocket client,' a false rebrand claim — Polygon.io has not changed names. The source is a near-verbatim clone of the legitimate polygon-api-client with brand strings substituted: massive/rest/init.py hardcodes BASE = "https://api.massive.com", the API key environment variable is renamed MASSIVE_API_KEY, and the repository URL github.com/massive-com/client-python is a lookalike of polygon-io/client-python. Because the API shape is identical to the legitimate Polygon SDK, copy-pasted developer code 'just works' but sends the caller's real Polygon bearer token (massive/rest/base.py:46 attaches Authorization: Bearer <API_KEY> to every request) plus all market-data queries to api.massive.com — a destination the developer did not choose and which the documented config does not redirect (callers would have to override base= on every client instantiation). The websocket client similarly hardcodes a non-Polygon feed host. Net effect: any developer installing this expecting the Polygon SDK silently relays their API credentials and queries to an attacker-controlled lookalike domain.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.8.0"
            ],
            "id": "IN-MAL-2026-004883",
            "modified_time": "2026-05-26T09:10:52Z",
            "import_time": "2026-05-26T09:17:33.641161541Z",
            "sha256": "02d8dea3e47a2bd45fc796f33fc582956aec2be887add9672fd5eccc91c2135d",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

PyPI / massive

Package

Affected ranges

Affected versions

2.*
2.8.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/pypi/massive/MAL-2026-4795.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "hashes": {
                "md5": "7af769824889e7dfe29f1d7e171b9ec8",
                "sha256": "d04332c9dec289bdf71e4cfaf8bfba26bd10e5829806d27b833488e89ee5015b",
                "blake2b_256": "c90d01464a7faa974cf0e6345cf93f2f5d10991a316e733d3f55e36fbb2d814d"
            },
            "filename": "massive-2.8.0-py3-none-any.whl"
        },
        {
            "filename": "massive-2.8.0.tar.gz",
            "hashes": {
                "md5": "d44be6a748b97405232102b797376359",
                "sha256": "e3f70c4b51e03b105a01a5a91e01745c43f9f5d4da9459ea80e1b7c3e7a17278",
                "blake2b_256": "9cb27cc9fadccd111b9fa1c378dad6a668312b563600d19498d26051fb57cf73"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "massive/rest/__init__.py",
            "sha256": "f259b89736e3027276b00b9b92dcf31c64f09627874c05b4a56d8c51a0f7c813",
            "tlsh": "094157172a7a327865968f58c86ae241173a18230f03346671bc017c2f4f27fb7be798"
        }
    ]
}