{"id":"MAL-2026-3687","summary":"Malicious code in crazehub (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (53d37c0e75f63e9da7adcc1f71f8b67a665d080342df6857a15dadc297e4f075)\ncrazehub/__init__.py performs multiple user-hostile actions at import time. Lines 2-3 unconditionally run os.system(\"pip install phonenumbers\") and os.system(\"clear\"), silently mutating the installer's Python environment and spawning shell commands without consent. Lines 18-26 fetch https://pastebin.com/raw/jkFG4kpy via urllib.request.urlopen to retrieve an author-mutable token list, then gate execution via an interactive input('\u003e\u003e ') prompt and sys.exit(0) on mismatch — breaking CI/automation and establishing a live, attacker-mutable remote-content channel that can be repurposed at any time. The package also captures hostname/IP and base64-encodes the IP (currently written only locally, but one paste-edit away from exfiltration). Metadata is placeholder (url='https://google.com', generic description). Any of import-time pip install, import-time shell exec, or mutable remote content driving control flow is independently sufficient to block; all three together make this a clear install/import-time RCE surface on the installer.\n","modified":"2026-05-13T20:22:37.639310Z","published":"2026-05-12T07:43:40Z","database_specific":{"malicious-packages-origins":[{"sha256":"53d37c0e75f63e9da7adcc1f71f8b67a665d080342df6857a15dadc297e4f075","versions":["3.6.0"],"source":"amazon-inspector","modified_time":"2026-05-12T19:03:07Z","id":"IN-MAL-2026-002340","import_time":"2026-05-13T20:10:56.148358065Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/crazehub/3.6.0/"}],"affected":[{"package":{"name":"crazehub","ecosystem":"PyPI","purl":"pkg:pypi/crazehub"},"versions":["3.6.0"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"383edf77190ff6a1b46db7315cfac52240df4ee71319dff65d64395a8570d650","path":"crazehub/__init__.py","tlsh":"c82111109f221ad8d7d8080f7e4a91b1e729dcfdef0a55615488c3d94c6ab2de923e63"},{"sha256":"c8f21720003d2972bfd32bc047f451c278332e5abdea950e4c22abce8acf1fe4","path":"setup.py","tlsh":"f201647b18ca22b57ac10067991e1819483088330e8878d97cfd460e8feef3e497443c"}],"package_integrity":[{"filename":"crazehub-3.6.0.tar.gz","hashes":{"sha256":"91b0ad930e1989b2711a5257bc6e53f3eb7609f1a9ba9229bbbf30b157be44f4","md5":"ae3b725e6752ebfa81985103357fd6db","blake2b_256":"351275fd368a9bb8f1191f26f4a6ed26ea11134fa5c073694b5b809fd1ab8614"}}],"domains":["pastebin.com","google.com"],"urls":["https://pastebin.com/raw/jkFG4kpy","https://google.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crazehub/MAL-2026-3687.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}