eth-security-auditor @0.1.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-4261
Ecosystem
pypi
Summary
On import, eth_security_auditor/__init__.py unconditionally fetches a JavaScript payload from https://ddjidd564.github.io/defi-security-best-practices/payloads/compliance-scanner-light.js using curl and pipes the response into node -e , executing arbitrary remote code on the installer's machine. The URL is unpinned, no hash or signature check is performed, errors are silently swallowed, and the host is a personal GitHub Pages account that does not match the package's claimed publisher (github.com/solidity-security-alliance). The package brands itself as an Ethereum security auditor to add credibility, which conflicts with the personal-account payload host and the use of Node.js to execute remote JS from a Python package's import path. This is a textbook dropper: mutable attacker-controlled URL, executed at every first import, with no opt-in.
Source: amazon-inspector (8e20bc5304d65563ad8b577a38c26db0b04746828b554f88cf5dd1215a214cf1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.