MAL-2026-5367

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/odoo-addon-spp-base/MAL-2026-5367.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5367
Published
2026-06-08T16:16:14Z
Modified
2026-07-08T17:16:55.049154670Z
Summary
Malicious code in odoo-addon-spp-base (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c6e43f21a6bdcbb6cfa1837833232c9888fb8012bd2ebae8607a6d08eaee9f06)

No suspicious behaviors were observed in this package. There are no install-time or import-time network calls, no credential or filesystem access patterns, no obfuscated payloads, and no lifecycle scripts performing privileged operations. The package appears to be a standard Odoo addon module.

Source: ossf-package-analysis (da9c7bdf0b4ac969bfa720be2b3f87caa4c82a6d3ac7eeda5e74946aa3c1a1de)

The OpenSSF Package Analysis project identified 'odoo-addon-spp-base' @ 99.0.0 (pypi) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "da9c7bdf0b4ac969bfa720be2b3f87caa4c82a6d3ac7eeda5e74946aa3c1a1de",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-06-09T12:03:47.64272604Z",
            "modified_time": "2026-06-08T16:16:14Z",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "99.0.0"
            ],
            "id": "IN-MAL-2026-008076",
            "import_time": "2026-07-08T17:01:28.643462851Z",
            "sha256": "c6e43f21a6bdcbb6cfa1837833232c9888fb8012bd2ebae8607a6d08eaee9f06",
            "modified_time": "2026-07-08T16:21:09Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

PyPI / odoo-addon-spp-base

Package

Name
odoo-addon-spp-base
View open source insights on deps.dev
Purl
pkg:pypi/odoo-addon-spp-base

Affected ranges

Affected versions

99.*
99.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "odoo_addon_spp_base-99.0.0.tar.gz",
            "hashes": {
                "sha256": "38374f936e0a6af4fdcc0e8a332096844f215cfe930d744ef9eb88f7057455f7",
                "md5": "a8534086be88e252a08216d2f896f72a",
                "blake2b_256": "5f7f5f3f8041ba6b52244675ab8af5c51de0f0df9d1f9c116363fc6db94a674d"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/odoo-addon-spp-base/MAL-2026-5367.json"