darkglitch @1.2.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10756
Ecosystem
pypi
Summary
darkglitch 1.2.0 ships a listener mode ( -l -c ) that opens a WebSocket connection to the hardcoded signaling host https://malware-signal.vercel.app/ and joins the fixed room D4RKGLI7CH . Incoming remote-command messages are passed directly into subprocess.run(command, shell=True) inside _execute_command , giving any party with access to that signaling server arbitrary shell execution on the host running the listener. core/config.py hardcodes the host and room. The -r/--run mode invokes PyInstaller with --noconsole --onefile to build darkglitch_listener.exe , a windowless Windows agent whose entry point immediately calls asyncio.run(listen_bash_mode()) , packaging the same remote-shell listener as a hidden persistent agent. The self-labeling of the host as malware-signal.vercel.app and the room as D4RKGLI7CH matches the operational shape of a remote-access trojan.
Source: amazon-inspector (6d02eb8be388433532783a7bf88864824b50756b7ced4f8728721866740c5df1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.