{"id":"MAL-2026-3356","summary":"Malicious code in test-py-conn (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (7e39e3b24f15db8e5eff412ba6cb217986b6f80b6923712abd1efee4cf79a7ed)\nThe code automatically starts a worker designed to survive the exit of the main process. The worker load code from a PYC file which then connects to pre-defined C2 server and awaits commands to execute.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-test-py-conn\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n\n\n - rat\n","modified":"2026-05-06T21:04:23.083307Z","published":"2026-05-06T20:28:38Z","database_specific":{"malicious-packages-origins":[{"sha256":"7e39e3b24f15db8e5eff412ba6cb217986b6f80b6923712abd1efee4cf79a7ed","versions":["0.0.1","0.0.2"],"id":"pypi/2026-05-test-py-conn/test-py-conn","import_time":"2026-05-06T20:57:19.783536628Z","modified_time":"2026-05-06T20:28:38.986161Z","source":"kam193"}],"iocs":{"domains":["hello.16fps.in"],"urls":["http://213.136.64.157:5000","http://hello.16fps.in/download/pycache"],"ips":["213.136.64.157"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/test-py-conn"}],"affected":[{"package":{"name":"test-py-conn","ecosystem":"PyPI","purl":"pkg:pypi/test-py-conn"},"versions":["0.0.1","0.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/test-py-conn/MAL-2026-3356.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}