-= Per source details. Do not edit below this line.=-
No suspicious behaviors were observed in this package. There are no install-time or import-time network calls, no credential or filesystem access patterns, no obfuscated payloads, and no lifecycle scripts performing privileged operations. The package appears to be a standard Odoo addon module.
The OpenSSF Package Analysis project identified 'odoo-addon-spp-base' @ 99.0.0 (pypi) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"sha256": "da9c7bdf0b4ac969bfa720be2b3f87caa4c82a6d3ac7eeda5e74946aa3c1a1de",
"versions": [
"99.0.0"
],
"import_time": "2026-06-09T12:03:47.64272604Z",
"modified_time": "2026-06-08T16:16:14Z",
"source": "ossf-package-analysis"
},
{
"versions": [
"99.0.0"
],
"id": "IN-MAL-2026-008076",
"import_time": "2026-07-08T17:01:28.643462851Z",
"sha256": "c6e43f21a6bdcbb6cfa1837833232c9888fb8012bd2ebae8607a6d08eaee9f06",
"modified_time": "2026-07-08T16:21:09Z",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "odoo_addon_spp_base-99.0.0.tar.gz",
"hashes": {
"sha256": "38374f936e0a6af4fdcc0e8a332096844f215cfe930d744ef9eb88f7057455f7",
"md5": "a8534086be88e252a08216d2f896f72a",
"blake2b_256": "5f7f5f3f8041ba6b52244675ab8af5c51de0f0df9d1f9c116363fc6db94a674d"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/odoo-addon-spp-base/MAL-2026-5367.json"