OSV-MAL-2026-4742

Malicious code in aurapro-ui (PyPI)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cace553d74971e3660a0a7095662488f531348ba3e756696da5ff0ef9645ab22) The PyPI package aurapro-ui installs its code under the Python import namespace `open_webui/` and registers two console scripts in entry_points.txt — `aurapro-ui` and `open-webui` — both pointing at `open_webui.cli:app`. Installing aurapro-ui on a system that has (or later receives) the legitimate `open-webui` package causes silent module-import and CLI-binary collisions: `import open_webui` and the `open-webui` shell command resolve to whichever package was installed last, with no warning to the operator. Package metadata compounds the deception: `Author-email` is set to `Timothy Jaeryang Baek <tim@openwebui.com>` (the maintainer of the unrelated upstream Open WebUI project), and the README is a search-and-replace rebrand of the upstream README still linking to docs.openwebui.com, openwebui.com, and the upstream Discord, despite aurapro-ui having no documented relationship to that project. The current 3.2.5 payload appears to be a rebrand of the upstream code with no exfiltration or RCE at import time, but the namespace foothold + falsified authorship establish staging for a future malicious update to silently replace the real `open_webui` module and `open-webui` CLI on any machine that installed aurapro-ui.