—

MAL-2026-4769

Malicious code in soundsource (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e3285c5fec24c01c9c463e85c199934f5a08da7e94277583430a6e3feb274add) The package's source distribution contains `Token.txt` at the tarball root holding a live PyPI API token (prefix `pypi-AgEIcHlwaS5vcmc...`). Anyone who downloads or installs the sdist obtains a credential granting publish rights on PyPI under the author's account, enabling republication of trojaned versions of this package (and any other package within the token's scope) to all downstream installers. Additional quality concerns include a malformed `Homepage` URL in `pyproject.toml` (`https://https://github.com/...`) and a placeholder `DEFAULT_BASE_URL` pointing at `api.soundsource.example.com`, indicating an unreviewed publish.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / soundsource

No fixed version published yet for soundsource (pip). Pin to a known-safe version or switch to an alternative.

References

https://pypi.org/project/soundsource/0.1.0/ [PACKAGE]