{"id":"MAL-2026-10643","summary":"Malicious code in ethereum-input-decorder (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (94137fcf0aee7d8edb4e15a8bc9be4455fbdf79cb5bf99987b79f0393fdff62c)\nThe package name typosquats the legitimate 'ethereum-input-decoder'. Its top-level __init__.py unconditionally invokes a payload routine on import: it detects OS/arch, downloads a platform-specific binary from easyswapnow.pro (Linux/macOS builds at /downloads/lix_amd.bin, lix_arm.bin, mac_amd.bin, mac_arm.bin) or a Google Drive file for Windows, writes it to disk, sets the executable bit, and runs it via subprocess.run. The same import path also installs login persistence, writing ~/.config/systemd/user/python-script.service on Linux (enabled via systemctl --user enable --now) and ~/Library/LaunchAgents/com.user.script.plist on macOS (loaded via launchctl load -w), causing the dropper to re-run at every user login. setup.py ships placeholder author metadata ('Your Name', 'your.email@example.com') and a 'Hello World on import' description, contradicting the README which advertises an eth_defi demo; none of this matches the actual dropper. The destination domain easyswapnow.pro is unrelated to the advertised Ethereum-decoding purpose.\n\n## Source: kam193 (00437c563c5b7c2555d512f0066e6bdb5dc61300fd00027d1b5f0fc92a06d204)\nThe typosquatted package installs a Mythic/Poseidon C2 framework beacon and ensures persistence. After installation, the beacon communicates with C2 on wegoexchange[.]site for further commands.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-07-tennacity\n\n\nReasons (based on the campaign):\n\n\n - typosquatting\n\n\n - Downloads and executes a remote executable.\n\n\n - The package contains code to detect if it is running in a sandbox environment.\n\n\n - malware\n\n\n - persistence\n","modified":"2026-07-15T18:19:27.615121771Z","published":"2026-07-15T03:52:02Z","database_specific":{"iocs":{"urls":["https://easyswapnow.pro/downloads/lix_amd.bin","https://easyswapnow.pro/downloads/lix_arm.bin","https://easyswapnow.pro/downloads/mac_amd.bin","https://easyswapnow.pro/downloads/mac_arm.bin","https://drive.google.com/uc?export=download&id=1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF&confirm=t","http://wegoexchange.site/data"],"domains":["wegoexchange.site","easyswapnow.pro"]},"malicious-packages-origins":[{"modified_time":"2026-07-15T03:52:02Z","versions":["1.2.4"],"source":"amazon-inspector","sha256":"00564c1a112d6de4089e6f15e5c4a40b7975579811424b1e4fe2aebef7486a8f","import_time":"2026-07-15T04:32:06.193585204Z","id":"IN-MAL-2026-010607"},{"source":"amazon-inspector","sha256":"94137fcf0aee7d8edb4e15a8bc9be4455fbdf79cb5bf99987b79f0393fdff62c","import_time":"2026-07-15T04:32:06.32566024Z","id":"IN-MAL-2026-010608","modified_time":"2026-07-15T03:52:12Z","versions":["1.2.2"]},{"import_time":"2026-07-15T08:51:08.558076785Z","id":"pypi/2026-07-tennacity/ethereum-input-decorder","modified_time":"2026-07-15T07:23:55.052647Z","versions":["1.2.2","1.2.4"],"source":"kam193","sha256":"00437c563c5b7c2555d512f0066e6bdb5dc61300fd00027d1b5f0fc92a06d204"},{"modified_time":"2026-07-15T07:23:55.052647Z","versions":["1.2.2","1.2.4"],"source":"kam193","sha256":"381c2db4c332b204ea25dcf08e4930a5f291918377816fa7305b68e3cd26134e","import_time":"2026-07-15T17:59:58.79698792Z","id":"pypi/2026-07-tennacity/ethereum-input-decorder"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/ethereum-input-decorder/1.2.4/"},{"type":"PACKAGE","url":"https://pypi.org/project/ethereum-input-decorder/1.2.2/"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/b60ead7581e0d36d47d2362a6843f6ffa3d5748fe7e3a76eef2942d13b3b0613/detection"},{"type":"WEB","url":"https://www.virustotal.com/gui/file-analysis/ZjIzNWQzZmZhYmMyZmQ5Njg3MWI4MmQ5OTMzYTc3YzU6MTc4NDAyMjgxMA=="},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/15378a183d833832b41cf28f061d6108e0145b81a8faf82f5d860828a0b99584/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/ethereum-input-decorder"}],"affected":[{"package":{"name":"ethereum-input-decorder","ecosystem":"PyPI","purl":"pkg:pypi/ethereum-input-decorder"},"versions":["1.2.4","1.2.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"path":"ethereum_input_decorder/__init__.py","sha256":"1eec8391f36646f98e1767e279e260ea4bb2cf9f6fbb5f6a90f2f334d2e8784e","tlsh":"1d0283d7cc8ae03141f292a94d33d592fb86a243165758a6b9fc89842f70c76c4b297f"},{"tlsh":"83f002475e807cf002b8c4182c227d18f135471b1b90c88732bc024d7f396c50b2a384","path":"setup.py","sha256":"ac2507b1b3de5940d5f71fee42167609b13a6a2882d81176fa9c07ba41146465"}],"package_integrity":[{"filename":"ethereum_input_decorder-1.2.4-py3-none-any.whl","hashes":{"blake2b_256":"9c42ce51a2c51605b114faf29bdf3ff7213572b9ae101b9069899dfa9cd652ce","md5":"0cedbd81c2f7b0ac8c0654df3eb1e716","sha256":"0c9106b52cdc5e8b050212060b2f0ded1a22f247d2bc170f9539c8059035c913"}},{"filename":"ethereum_input_decorder-1.2.4.tar.gz","hashes":{"blake2b_256":"01d47e2b82610c84c004dec4a7e70a567862df1534601349ba76cc3a16d9f25b","md5":"9133c416d45871062b1767daa17b5eff","sha256":"d48fa377fbe06563c77b6fa945d6335d450b28d88a3ae05c2d5bd60d2dc3ae82"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ethereum-input-decorder/MAL-2026-10643.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}