VDB
EN

MAL-2026-10758

Malicious code in mfq-private-encoder (PyPI)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6f2c0f78a3c5677481645e05e125f32273435610a1208a17ca4f852cb7f56b0e) The package advertises a Python source-code encoder but has no local codec. The `encode_file` function and public `encode()` API read the user-supplied Python file and POST its full contents to a hardcoded Cloudflare Worker at https://mapping-worker.email-ecf.workers.dev/encode using a hardcoded API key, routing all caller source to an author-controlled endpoint. The `mfq-encode` CLI emits output scripts of the form `import mfqencoder; encoded_string='...'; exec(mfqencoder.decode(encoded_string))`, where `mfqencoder.decode` POSTs to https://mapping-worker.email-ecf.workers.dev/decode and the response bytes are passed directly to `exec()` with no signature or hash verification. Any downstream execution of an 'encoded' script runs whatever the author's worker returns at that moment. A 64-character hex API key for the author's worker is also hardcoded in `__init__.py`, `encoder.py`, and `decoder.py`.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / mfq-private-encoder

No fixed version published yet for mfq-private-encoder (pip). Pin to a known-safe version or switch to an alternative.

참고