Malicious code in aurapro-ui (PyPI)

__

Source: amazon-inspector (cace553d74971e3660a0a7095662488f531348ba3e756696da5ff0ef9645ab22)

The PyPI package aurapro-ui installs its code under the Python import namespace open_webui/ and registers two console scripts in entry_points.txt — aurapro-ui and open-webui — both pointing at open_webui.cli:app. Installing aurapro-ui on a system that has (or later receives) the legitimate open-webui package causes silent module-import and CLI-binary collisions: import open_webui and the open-webui shell command resolve to whichever package was installed last, with no warning to the operator. Package metadata compounds the deception: Author-email is set to Timothy Jaeryang Baek <tim@openwebui.com> (the maintainer of the unrelated upstream Open WebUI project), and the README is a search-and-replace rebrand of the upstream README still linking to docs.openwebui.com, openwebui.com, and the upstream Discord, despite aurapro-ui having no documented relationship to that project. The current 3.2.5 payload appears to be a rebrand of the upstream code with no exfiltration or RCE at import time, but the namespace foothold + falsified authorship establish staging for a future malicious update to silently replace the real open_webui module and open-webui CLI on any machine that installed aurapro-ui.