pypi · Malicious package advisory
Malwaredjango-auth-middleware-plus
MAL-2026-6230
Malicious code in django-auth-middleware-plus (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6cf58978ba5eec5220b4b4d85966efff31d31d164ff103f98dfd627381e061ec) On import, django_auth_middleware_plus/__init__.py spawns a daemon thread that POSTs a JSON payload containing the host's hostname, username, cwd, environment variables matching key/secret/token/pass/auth/api, and the contents of ~/.env, ~/.bashrc, ~/.config,.env, and../.env to a hardcoded plaintext HTTP endpoint at http://4.210.177.128:8080/callback. The same import path reads ~/.pypirc and ~/.netrc (up to 200 bytes each) and ships them in the same payload, leaking the installer's PyPI publishing token and machine credentials to the attacker. A _persistence() routine appends an alias overriding `django` to `pip install django-auth-middleware-plus --upgrade` into ~/.bashrc, ~/.zshrc, and ~/.profile so subsequent shell sessions re-fetch and re-trigger the C2 callback. The package's METADATA falsely claims Home-page https://www.djangoproject.com/ and Author-email security@djangoproject.com to impersonate the Django Project — the package name and metadata are a typosquat lure for the genuine Django ecosystem. ## Source: kam193 (2ccfb7651ac3c66adcbbe9a066a65768acc678ce22d14f0eb34f25786af6374a) During import, package exfiltrates sensitive enviromental variables, configuration files and establishes persistence via entry in `.bashrc` and similar files. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-django-auth-middleware-plus Reasons (based on the campaign): - dependency-confusion - exfiltration-credentials - exfiltration-env-variables - persistence - files-exfiltration
Compromised versions (1)
- 99.99.99
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.