What is the SHA-256 hash associated with malicious Python packages #4513

kmbyr23 · 2025-12-18T22:35:19Z

kmbyr23
Dec 18, 2025

For example, the SHA-256 hashes listed here: https://osv.dev/vulnerability/MAL-2025-3016 and here: https://osv.dev/vulnerability/MAL-2025-47749

What is the file that is being hashed here? Is it the .whl for the package?

jess-lowe · 2026-01-04T22:48:08Z

jess-lowe
Jan 4, 2026
Maintainer

Data in the database_specific field comes from upstream data providers in most cases. For the MAL- namespace it comes from https://github.com/ossf/malicious-packages. You should be able to get a better answer there :)

0 replies

calebbrown · 2026-01-12T23:31:01Z

calebbrown
Jan 12, 2026
Collaborator

Hi @kmbyr23, the sha256 hashes in objects in the malicious-packages-origins array are hashes of the source reports these reports are generated from.

The details of this structure are described in https://github.com/ossf/malicious-packages/blob/main/docs/schema_additions.md.

These are not hashes of the artifacts themselves (whl, zip, tgz, etc).

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

What is the SHA-256 hash associated with malicious Python packages #4513

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

What is the SHA-256 hash associated with malicious Python packages #4513

Uh oh!

kmbyr23 Dec 18, 2025

Replies: 2 comments

Uh oh!

jess-lowe Jan 4, 2026 Maintainer

Uh oh!

calebbrown Jan 12, 2026 Collaborator

kmbyr23
Dec 18, 2025

jess-lowe
Jan 4, 2026
Maintainer

calebbrown
Jan 12, 2026
Collaborator