{"id":"MAL-2026-5519","summary":"Malicious code in requests-toolbelt-plus (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae)\nThe package impersonates the popular `requests-toolbelt` library but ships an empty `requests_toolbelt_plus/__init__.py` and places its real logic in `setup.py`. On `pip install`, setup.py checks `/proc/version` for WSL markers and, when matched, opens a TCP socket to the hardcoded IP 185.184.192.205 on port 4444, sends a JSON beacon containing `os.getlogin()`, `os.uname().nodename`, and `os.getcwd()`, then spawns a background thread that reads JSON commands from the socket and executes them via `subprocess.run(cmd, shell=True, capture_output=True, text=True)`, returning stdout/stderr to the operator — full remote command execution against the installer's machine. setup.py also appends a Python one-liner to `~/.bashrc` that re-opens the same socket, `dup2`s stdio onto it, and execs `/bin/bash -i`, giving the attacker a persistent interactive reverse shell that fires on every new login shell and survives package uninstall. The WSL-only gating is a deliberate evasion to stay dormant on non-WSL maintainer machines and execute only on targeted Windows-Subsystem-for-Linux developer hosts.\n\n## Source: kam193 (bd626be82a68d95788077b8b3c87a960c87d971e55496791cedf85154d99087f)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-06-10T19:31:29.311823518Z","published":"2026-06-10T17:11:39Z","database_specific":{"malicious-packages-origins":[{"sha256":"bd626be82a68d95788077b8b3c87a960c87d971e55496791cedf85154d99087f","modified_time":"2026-06-10T17:11:39.385096Z","import_time":"2026-06-10T18:03:22.536305364Z","source":"kam193","id":"pypi/GENERIC-standard-pypi-install-pentest/requests-toolbelt-plus","versions":["99.9.9","99.9.10","100.0.0","2026.6.10.172624"]},{"modified_time":"2026-06-10T18:26:49Z","sha256":"38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae","versions":["99.9.9"],"import_time":"2026-06-10T19:23:47.877638703Z","id":"IN-MAL-2026-005283","source":"amazon-inspector"},{"modified_time":"2026-06-10T18:41:57Z","sha256":"477b55b0e81d5897d1d7252951b472225226bbca8a8d13a70e31cab1e9d13c26","source":"amazon-inspector","versions":["100.0.0"],"id":"IN-MAL-2026-005294","import_time":"2026-06-10T19:23:48.738470163Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/requests-toolbelt-plus"},{"type":"PACKAGE","url":"https://pypi.org/project/requests-toolbelt-plus/99.9.9/"},{"type":"PACKAGE","url":"https://pypi.org/project/requests-toolbelt-plus/100.0.0/"}],"affected":[{"package":{"name":"requests-toolbelt-plus","ecosystem":"PyPI","purl":"pkg:pypi/requests-toolbelt-plus"},"versions":["99.9.9","99.9.10","100.0.0","2026.6.10.172624"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"9b86e3072f1ac94de464250b62d35bd74eca80f444a283fbc3f5db6c066c6a6e","path":"setup.py","tlsh":"404142c1dcb90120e3b3909918259062a7677d033b46d8787abd87b06f8a079a0b95b9"},{"sha256":"a0122930824287222cc11b4598fec403993fe98807725564777d6cea63985118","path":"PKG-INFO","tlsh":"ced0a79b33862131f4c38089059c465790f9d10171ca2066c4c60ee962cf2489245438"}],"package_integrity":[{"hashes":{"blake2b_256":"62b1be1c6a672ebde0f1e5f07834bee2ec69282e165e2b329d60e24949ab49f1","sha256":"7fe6c3efb7b642c75cb23bdc84b4978c5c3d48896e38ad67c5c516561aabe10f","md5":"e98fa689bf5c5701b9a075fae46f9564"},"filename":"requests_toolbelt_plus-99.9.9-py3-none-any.whl"},{"hashes":{"blake2b_256":"abed5c121232e9ab398165d373644d77de1ce266487ba199b69ae525eaf569c0","sha256":"1134df5e03681ef11254b3370b1e054d7c2e8db4dd52c5aa59ec02a1d15219e0","md5":"889faf0acbe8ae286dfc6178353fedb7"},"filename":"requests_toolbelt_plus-99.9.9.tar.gz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requests-toolbelt-plus/MAL-2026-5519.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}