Assign IDs

Author: github-actions

osv/malicious/.id-allocator

@@ -1 +1 @@
-711f3f0cfff513fd83d501b6802afc9768b45fddfb6ea36574a23de1dbcf23b0
+d5bebd2ecae192a8865797683453a2335e3383b34119f966bf03a600fccdb211

osv/malicious/pypi/torchunmix/MAL-0000-kam193-bee332cb141dec30.json

@@ -0,0 +1,66 @@
+{
+  "modified": "2026-03-25T01:40:59Z",
+  "published": "2026-03-25T01:23:44Z",
+  "schema_version": "1.7.4",
+  "id": "MAL-2026-2158",
+  "summary": "Malicious code in torchunmix (PyPI)",
+  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (bee332cb141dec3033a9c1590cfb3df81e7dfa66dd4a4ce0072ccc92f9301891)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research \u0026 co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n## Source: ossf-package-analysis (4d5397bb157f48b8104cfb11a88215fb953c075bb43fdeceed3f1bbec8af96d5)\nThe OpenSSF Package Analysis project identified 'torchunmix' @ 0.2 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "torchunmix"
+      },
+      "versions": [
+        "0.2"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/torchunmix"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    },
+    {
+      "name": "OpenSSF: Package Analysis",
+      "type": "FINDER",
+      "contact": [
+        "https://github.com/ossf/package-analysis",
+        "https://openssf.slack.com/channels/package_analysis"
+      ]
+    }
+  ],
+  "database_specific": {
+    "malicious-packages-origins": [
+      {
+        "id": "pypi/GENERIC-standard-pypi-install-pentest/torchunmix",
+        "import_time": "2026-03-25T01:39:11.856479013Z",
+        "modified_time": "2026-03-25T01:24:39.317701Z",
+        "sha256": "bee332cb141dec3033a9c1590cfb3df81e7dfa66dd4a4ce0072ccc92f9301891",
+        "source": "kam193",
+        "versions": [
+          "0.2"
+        ]
+      },
+      {
+        "import_time": "2026-03-25T01:38:43.60272263Z",
+        "modified_time": "2026-03-25T01:23:44Z",
+        "sha256": "4d5397bb157f48b8104cfb11a88215fb953c075bb43fdeceed3f1bbec8af96d5",
+        "source": "ossf-package-analysis",
+        "versions": [
+          "0.2"
+        ]
+      }
+    ]
+  }
+}