pypi

dt-validator @0.3.0

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 9:08 PM UTC

Malicious

OSV ID

MAL-2026-6728

Ecosystem

pypi

Summary

Code contains a function to execute remote code, which at the time of analysis was extracting the "auth_user" table from Django DB. The remote code execution is partially documented and disguised with multiple warnings, but a) the 'convenience function' uses a hardcoded endpoint and loads results to the global namespace, b) the warnings are silenced by default. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-dt-validator Reasons (based on the campaign): - Downloads and executes a remote malicious script. - action-hidden-in-lib-usage

Source: kam193 (0fc0256380d811cdce05ffa9c3644a5f7e4ebd6f7acfce0f955935b42449b17a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.