django-auth-middleware-plus @99.99.99
Vulnerability report · Last retrieved from osv.dev June 21, 2026 at 8:57 PM UTC
OSV ID
MAL-2026-6230
Ecosystem
pypi
Summary
On import, django_auth_middleware_plus/__init__.py spawns a daemon thread that POSTs a JSON payload containing the host's hostname, username, cwd, environment variables matching key/secret/token/pass/auth/api, and the contents of ~/.env, ~/.bashrc, ~/.config,.env, and../.env to a hardcoded plaintext HTTP endpoint at http://4.210.177.128:8080/callback. The same import path reads ~/.pypirc and ~/.netrc (up to 200 bytes each) and ships them in the same payload, leaking the installer's PyPI publishing token and machine credentials to the attacker. A _persistence() routine appends an alias overriding django to pip install django-auth-middleware-plus --upgrade into ~/.bashrc, ~/.zshrc, and ~/.profile so subsequent shell sessions re-fetch and re-trigger the C2 callback. The package's METADATA falsely claims Home-page https://www.djangoproject.com/ and Author-email security@djangoproject.com to impersonate the Django Project — the package name and metadata are a typosquat lure for the genuine Django ecosystem.
Source: amazon-inspector (6cf58978ba5eec5220b4b4d85966efff31d31d164ff103f98dfd627381e061ec)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.