VDB
GCVE-110-OSM-2026-4139
GCVE-110-OSM-2026-4139
Advisory PublishedCVSS 9.6/10
Compromised version of `guardrails-ai` (0.10.1) on PyPI is part of the Mini Shai-Hulud supply-chain campaign's expansion into Python (May 2026, attributed to TeamPCP). Unlike the npm side, the PyPI infection uses a direct-download dropper rather than a full worm implant: the package executes malicious code on import, downloading https://git-tanstack.com/transformers.pyz to /tmp/transformers.pyz and executing it with python3 — with no integrity verification. Cross-referenced from a public disclosure on X/Twitter.
=== PYPI IMPORT-TIME EXECUTION ===
Version: guardrails-ai==0.10.1
Registry: PyPI
Trigger: package import (not install)
guardrails-ai 0.10.1 executes malicious code on package import. On Linux hosts, it downloads https://git-tanstack.com/transformers.pyz, writes it to /tmp/transformers.pyz, and executes it with python3 — with no integrity verification (no hash check, no signature check, plain HTTPS-fetched bytes piped into the interpreter).
=== ATTRIBUTION SIGNAL ===
The git-tanstack.com domain has served a page signed "With Love TeamPCP" stating "We've been online over 2 hours now stealing creds. Regardless I just came to say hello :^)" with a linked YouTube video (presumed rickroll). This confirms the same TeamPCP threat group operating the npm-side mini-shai-hulud worm has crossed into PyPI.
=== CAMPAIGN LINK ===
This package is part of the broader Mini Shai-Hulud supply-chain campaign that began in npm with the TanStack compromise (May 2026) and has now expanded into PyPI. See related npm threats under tag `mini-shai-hulud` for the full kill chain on the npm side (router_init.js / tanstack_runner.js, Session P2P exfiltration, OIDC token theft, Sigstore provenance abuse). The PyPI side is simpler: a direct .pyz dropper from git-tanstack.com.
=== INFRASTRUCTURE OBSERVED ===
- git-tanstack.com (payload host — serves transformers.pyz)
- https://git-tanstack.com/transformers.pyz (the actual dropper URL)
- /tmp/transformers.pyz (local write target)
- filev2.getsession.org / seed1.getsession.org (npm-side Session P2P exfil — may also receive PyPI-harvested data)
- api.masscan.cloud (attacker-controlled API observed npm-side)
- GitHub account voicproducoes (ID 269549300, created 2026-03-19)
=== DETECTION GUIDANCE ===
- Scan PyPI installs of guardrails-ai==0.10.1 for module-level network calls and subprocess invocations of python3 against /tmp paths.
- Block git-tanstack.com at egress.
- Hunt for /tmp/transformers.pyz on developer/CI hosts that have ever installed this version.
Compromised version: 0.10.1
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | guardrails-ai | 0.10.1 (affected), 0.10.1 (affected) | — |
Browse GCVE Records
72,096 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.