MAL-2026-6230

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/django-auth-middleware-plus/MAL-2026-6230.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6230
Published
2026-06-19T21:05:32Z
Modified
2026-06-20T19:46:00.033461631Z
Summary
Malicious code in django-auth-middleware-plus (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6cf58978ba5eec5220b4b4d85966efff31d31d164ff103f98dfd627381e061ec)

On import, djangoauthmiddleware_plus/init.py spawns a daemon thread that POSTs a JSON payload containing the host's hostname, username, cwd, environment variables matching key/secret/token/pass/auth/api, and the contents of ~/.env, ~/.bashrc, ~/.config,.env, and../.env to a hardcoded plaintext HTTP endpoint at http://4.210.177.128:8080/callback. The same import path reads ~/.pypirc and ~/.netrc (up to 200 bytes each) and ships them in the same payload, leaking the installer's PyPI publishing token and machine credentials to the attacker. A _persistence() routine appends an alias overriding django to pip install django-auth-middleware-plus --upgrade into ~/.bashrc, ~/.zshrc, and ~/.profile so subsequent shell sessions re-fetch and re-trigger the C2 callback. The package's METADATA falsely claims Home-page https://www.djangoproject.com/ and Author-email security@djangoproject.com to impersonate the Django Project — the package name and metadata are a typosquat lure for the genuine Django ecosystem.

Source: kam193 (2ccfb7651ac3c66adcbbe9a066a65768acc678ce22d14f0eb34f25786af6374a)

During import, package exfiltrates sensitive enviromental variables, configuration files and establishes persistence via entry in .bashrc and similar files.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-django-auth-middleware-plus

Reasons (based on the campaign):

  • dependency-confusion

  • exfiltration-credentials

  • exfiltration-env-variables

  • persistence

  • files-exfiltration

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "2ccfb7651ac3c66adcbbe9a066a65768acc678ce22d14f0eb34f25786af6374a",
            "source": "kam193",
            "modified_time": "2026-06-19T21:05:32.071244Z",
            "versions": [
                "99.99.99"
            ],
            "id": "pypi/2026-06-django-auth-middleware-plus/django-auth-middleware-plus",
            "import_time": "2026-06-19T21:56:10.104758302Z"
        },
        {
            "sha256": "6cf58978ba5eec5220b4b4d85966efff31d31d164ff103f98dfd627381e061ec",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T18:43:09Z",
            "id": "IN-MAL-2026-007101",
            "versions": [
                "99.99.99"
            ],
            "import_time": "2026-06-20T19:34:58.16378715Z"
        }
    ],
    "iocs": {
        "ips": [
            "4.210.177.128"
        ],
        "urls": [
            "http://4.210.177.128:8080/callback"
        ]
    }
}
References
Credits

Affected packages

PyPI / django-auth-middleware-plus

Package

Name
django-auth-middleware-plus
View open source insights on deps.dev
Purl
pkg:pypi/django-auth-middleware-plus

Affected ranges

Affected versions

99.*
99.99.99

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/django-auth-middleware-plus/MAL-2026-6230.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "14249cdb75be08b00af33c01f26b8fe3bf0cb6a04fc467e43a25975d2e5811eb",
            "tlsh": "44815643f4d92db1d18afb6b943151406b2ba8976a0118387bfca3448fc8759e1f66fc",
            "path": "django_auth_middleware_plus/__init__.py"
        },
        {
            "sha256": "151ecf4659a7af16af03c4e38314f960e8699082d6f753f1cab0cb6d4c9e5441",
            "tlsh": "d231440674c47af4bbcf4d0b03249615e8224ad09a8e70885bf05bca59d85e6d37b138",
            "path": "django_auth_middleware_plus-99.99.99.dist-info/METADATA"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha256": "b3c11c7afc28fe234531d0d54586716bca7e82d18ae1e7373dfba42583cda951",
                "blake2b_256": "8de1559243c97d952cc6f54445006428670070085f2c4a81ba72e98330bdfa34",
                "md5": "628c0096f36f15d6706408de46c1b461"
            },
            "filename": "django_auth_middleware_plus-99.99.99-py3-none-any.whl"
        }
    ]
}