VDB

GCVE-110-OSM-2026-4139

GCVE-110-OSM-2026-4139
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 12, 2026
Compromised version of `guardrails-ai` (0.10.1) on PyPI is part of the Mini Shai-Hulud supply-chain campaign's expansion into Python (May 2026, attributed to TeamPCP). Unlike the npm side, the PyPI infection uses a direct-download dropper rather than a full worm implant: the package executes malicious code on import, downloading https://git-tanstack.com/transformers.pyz to /tmp/transformers.pyz and executing it with python3 — with no integrity verification. Cross-referenced from a public disclosure on X/Twitter. === PYPI IMPORT-TIME EXECUTION === Version: guardrails-ai==0.10.1 Registry: PyPI Trigger: package import (not install) guardrails-ai 0.10.1 executes malicious code on package import. On Linux hosts, it downloads https://git-tanstack.com/transformers.pyz, writes it to /tmp/transformers.pyz, and executes it with python3 — with no integrity verification (no hash check, no signature check, plain HTTPS-fetched bytes piped into the interpreter). === ATTRIBUTION SIGNAL === The git-tanstack.com domain has served a page signed "With Love TeamPCP" stating "We've been online over 2 hours now stealing creds. Regardless I just came to say hello :^)" with a linked YouTube video (presumed rickroll). This confirms the same TeamPCP threat group operating the npm-side mini-shai-hulud worm has crossed into PyPI. === CAMPAIGN LINK === This package is part of the broader Mini Shai-Hulud supply-chain campaign that began in npm with the TanStack compromise (May 2026) and has now expanded into PyPI. See related npm threats under tag `mini-shai-hulud` for the full kill chain on the npm side (router_init.js / tanstack_runner.js, Session P2P exfiltration, OIDC token theft, Sigstore provenance abuse). The PyPI side is simpler: a direct .pyz dropper from git-tanstack.com. === INFRASTRUCTURE OBSERVED === - git-tanstack.com (payload host — serves transformers.pyz) - https://git-tanstack.com/transformers.pyz (the actual dropper URL) - /tmp/transformers.pyz (local write target) - filev2.getsession.org / seed1.getsession.org (npm-side Session P2P exfil — may also receive PyPI-harvested data) - api.masscan.cloud (attacker-controlled API observed npm-side) - GitHub account voicproducoes (ID 269549300, created 2026-03-19) === DETECTION GUIDANCE === - Scan PyPI installs of guardrails-ai==0.10.1 for module-level network calls and subprocess invocations of python3 against /tmp paths. - Block git-tanstack.com at egress. - Hunt for /tmp/transformers.pyz on developer/CI hosts that have ever installed this version. Compromised version: 0.10.1

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownguardrails-ai0.10.1 (affected), 0.10.1 (affected)

References

vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›