dt-validator @0.3.0
Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 9:08 PM UTC
OSV ID
MAL-2026-6728
Ecosystem
pypi
Summary
Code contains a function to execute remote code, which at the time of analysis was extracting the "auth_user" table from Django DB. The remote code execution is partially documented and disguised with multiple warnings, but a) the 'convenience function' uses a hardcoded endpoint and loads results to the global namespace, b) the warnings are silenced by default. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-dt-validator Reasons (based on the campaign): - Downloads and executes a remote malicious script. - action-hidden-in-lib-usage
Source: kam193 (0fc0256380d811cdce05ffa9c3644a5f7e4ebd6f7acfce0f955935b42449b17a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.