{"id":"MAL-2026-5679","summary":"Malicious code in pylogxo (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bbeee018f429f5a978b85aa3999c8e24251a85dc787b1e4fd673abcabf157800)\nOn `import pylogx`, the package spawns a background thread that sleeps 5-20 seconds, force-installs sensitive third-party packages (cryptography, pycryptodomex, secretstorage, opencv-python, pillow, psutil) via pip, then fetches a base64-encoded blob from http://69.164.245.166/payload.txt over plaintext HTTP and passes the decoded bytes to `exec()` with a synthetic `__name__ = \"__payload__\"`. The destination is a bare IP with no TLS, no pinning, and no signature verification, so any code the operator of that host serves runs in the importing process. The pre-installed dependency set (secretstorage + cryptography) is consistent with a follow-on credential / keyring harvester. The package is also distributed under the name `pylogxo` while installing the import name `pylogx` — a near-edit of legitimate logging library names — and ships placeholder metadata (empty README, `https://github.com/example/pylogx`, `support@pylogx.example`) and references submodules (`formatter`, `handlers`) that do not exist in the tarball, so the module will ImportError only after the dropper thread has already fired. There is no legitimate reason for a logging utility to fetch and execute remote code at import time.\n\n## Source: kam193 (7ccb3e3a1ccde821415d6be9c25d123cc1ebedea4ca6dd40d77fc24e01cd0aaa)\nDuring import, the package downloads and executes remote code being an infostealer.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-pylogxo\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - infostealer\n\n\n - The package contains code to detect if it is running in a sandbox environment.\n\n\n - exfiltration-credentials\n\n\n - exfiltration-browser-data\n\n\n - files-exfiltration\n","modified":"2026-06-12T20:02:01.483043943Z","published":"2026-06-11T21:23:33Z","database_specific":{"malicious-packages-origins":[{"source":"kam193","versions":["1.0.3","1.0.4"],"import_time":"2026-06-11T22:13:52.448832018Z","modified_time":"2026-06-11T21:23:33.791422Z","id":"pypi/2026-06-pylogxo/pylogxo","sha256":"7ccb3e3a1ccde821415d6be9c25d123cc1ebedea4ca6dd40d77fc24e01cd0aaa"},{"import_time":"2026-06-12T19:44:14.386067724Z","versions":["1.0.3"],"source":"amazon-inspector","modified_time":"2026-06-12T19:10:06Z","id":"IN-MAL-2026-006156","sha256":"455e5b81bbb8135a6c89befe8fad406071a849d7a00f49206f4fbfe406f248e6"},{"versions":["1.0.4"],"import_time":"2026-06-12T19:44:14.492231979Z","source":"amazon-inspector","modified_time":"2026-06-12T19:10:08Z","id":"IN-MAL-2026-006157","sha256":"bbeee018f429f5a978b85aa3999c8e24251a85dc787b1e4fd673abcabf157800"}],"iocs":{"ips":["69.164.245.166"],"urls":["http://69.164.245.166/payload.txt"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/pylogxo"},{"type":"PACKAGE","url":"https://pypi.org/project/pylogxo/1.0.3/"},{"type":"PACKAGE","url":"https://pypi.org/project/pylogxo/1.0.4/"}],"affected":[{"package":{"name":"pylogxo","ecosystem":"PyPI","purl":"pkg:pypi/pylogxo"},"versions":["1.0.3","1.0.4"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pylogxo/MAL-2026-5679.json","indicators":{"evidence_files":[{"path":"pylogx/__init__.py","tlsh":"fa41fe0ca53d5972805b9c945d91bb23f7aebdaf0f4565f03adce3580f8983080467e8","sha256":"576416b87b73754823ef2b1db3326134d0a0fb626349dff2f68a50027a01b60f"},{"path":"setup.py","tlsh":"10115254c7c01db221a680491c4ba94aad306b073fa4fcc9779c420c2f6e2ff477a22d","sha256":"1c60a9a318dc48be8d62efb0dc71b3565e63d21c83f23ddbbbee61c2801c51f9"}],"package_integrity":[{"filename":"pylogxo-1.0.3-py3-none-any.whl","hashes":{"md5":"2d1fd24f8ab10eb57f8aa1325fc52d5a","blake2b_256":"1749d352ef3716e438589eb4982c8f47eda2364c1a75186ba80bbf1b6403d2c4","sha256":"7abdf7155f1ec78f5aeda99e53a8a2708ad353f34c353679b01f3b16559dc0b0"}},{"filename":"pylogxo-1.0.3.tar.gz","hashes":{"md5":"074aecd3535d1366472cb187100038e5","blake2b_256":"1f9164861fcd7f098be7709b231030ac246972bdc0142c8e1711356557052a24","sha256":"a391c408da110b43668b5de502827ea7333117250609faa04cb395dd215c27f5"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}