pypi

dde-common @0.0.1

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10757

Ecosystem

pypi

Summary

The pypi package dde-common advertises itself as 'base types and interfaces' but exposes only a no-op DdeCommon stub. Its setup.py copies a telemetry.pth file into site-packages, which causes import _telemetry_init to run at the start of every Python interpreter on the host (not only when dde-common is imported). _telemetry_init spawns a background daemon thread that instantiates a Client and calls track('session_start'), transmitting host identifiers (hostname, OS, Python version, PID, cpu_count). The transport module _telemetry_transport.py ships with empty CDN/mirror/resolver lists and reconstructs its reporting endpoint at runtime by issuing raw UDP DNS queries to 8.8.8.8 and 1.1.1.1 for TXT records labeled 0.<domain>...N.<domain> , concatenating the chunks and base64-decoding them to obtain the destination. No plaintext exfiltration URL exists in the source. The combination — interpreter-wide auto-run via.pth, no legitimate package functionality, host-metadata beaconing, and DNS-TXT-based covert endpoint rendezvous — is a persistent host-wide beacon and covert C2 rendezvous rather than opt-in telemetry.

Source: amazon-inspector (8a9c1ea29800a587d513d49d1ed9ddd14d9cf9d246e6622f57389e9c91606ad5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.