Which versions of saas-common-lib-473815 are malicious?

The following PyPI versions of saas-common-lib-473815 are flagged malicious: 2.6, 2.7, 2.8, 3.4, 3.6. Treat any of these as compromised.

How do I remediate saas-common-lib-473815 if I installed it?

Remove saas-common-lib-473815 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is saas-common-lib-473815 part of a known attack campaign?

Yes — saas-common-lib-473815 is associated with the IN-MAL-2026-003275, IN-MAL-2026-003280, IN-MAL-2026-003276, IN-MAL-2026-006174, IN-MAL-2026-006175 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect saas-common-lib-473815 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking saas-common-lib-473815 and packages like it before any post-install script runs.

Malicious package

saas-common-lib-473815PyPI

Malicious code in saas-common-lib-473815 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4766

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall saas-common-lib-473815

What this malware does

utils/send_email_otp.py exposes otpEmailService(to_email, email_body), which authenticates to smtp.gmail.com using a hardcoded sender address ([email protected]) and a hardcoded Gmail App Password, then calls server.send_message on a message whose From: is the author and To: is the caller-supplied recipient with caller-supplied body. Any application that imports this helper sends OTP/notification email FROM the author's personal Gmail account through author-controlled infrastructure, with no way for the caller to supply their own SMTP credentials. The recipient address and message body — installer-side data — are silently routed through the author's mailbox. Additionally, the App Password is redistributed to every installer, so anyone who installs the package can log into the author's Gmail and impersonate the sender to all prior OTP recipients. A secondary issue in utils/auth.py hardcodes SECRET_KEY = "nsn" for HS256 JWT signing; any deployment using create_access_token/verify_token from this library will issue forgeable tokens since the signing key is shipped publicly.

Malicious versions

5 flagged

2.62.72.83.43.6

Indicators of compromise (SHA-256)

0142a19ba91410cc19470321caba04aa48633df937b0ed66439cccf31877a333

b0c309076131280de80ce34e8edb5e83e7fe13a8f70fa4bf17efe028e5988368

f681f5ad7df2473889efbc6a9b4c12552eedf417288b832324ad70fd3631300d

744bbf51734da7cc07ed1ded040b717a8fa33b77e925df487b68c2d48fcebf30

8bb5494165201c9ac6b9fb0bee27a9dc10c83e4abd93cb5eb20fab5e834f2468

Frequently asked questions

No. saas-common-lib-473815 on PyPI has been identified as a malicious package (versions 2.6, 2.7, 2.8, 3.4, 3.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003275IN-MAL-2026-003280IN-MAL-2026-003276IN-MAL-2026-006174IN-MAL-2026-006175

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection