{"id":"MAL-2026-5769","summary":"Malicious code in ezllmgen (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d9ad551d9ee9ad2f3c29daab0377c3e52289324e938e28a3b58d71c60e8e15e8)\nsetup.py downloads the first line of https://pastebin.com/raw/yBcUM1QB via urllib and passes it directly to os.system(f'cmd /c \"{cmd_pastebin}\"') during package installation. The Pastebin source is anonymous and author-mutable, so any installer running `pip install EzLLMGen` unconditionally executes whatever shell command is currently posted there, with no pinning, hash check, or signature. The package ships no Python modules — the src tree contains only an egg-info directory and the PKG-INFO metadata is placeholder text (Name/Author/Summary all set to 'EzLLMGen'), so there is no legitimate functionality to balance against the dropper. The install-time fetch-and-execute is the package's sole purpose.\n\n## Source: kam193 (df46ebbf6c4ca141bceb389177692ad5c3465a0a567dcf5f687e3d00d707e655)\nDuring installation, the code attempts to download and start a malicious executable.\n\nLikely related to 2025-08-raknet-testing-package.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-easyaillm\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - malware\n","modified":"2026-06-15T23:01:01.334111739Z","published":"2026-06-14T08:53:49Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-14T10:35:38.430485108Z","sha256":"df46ebbf6c4ca141bceb389177692ad5c3465a0a567dcf5f687e3d00d707e655","source":"kam193","id":"pypi/2026-06-easyaillm/ezllmgen","versions":["2.21"],"modified_time":"2026-06-14T08:53:49.912987Z"},{"import_time":"2026-06-15T20:14:28.305204279Z","sha256":"d9ad551d9ee9ad2f3c29daab0377c3e52289324e938e28a3b58d71c60e8e15e8","source":"amazon-inspector","id":"IN-MAL-2026-006692","versions":["2.21"],"modified_time":"2026-06-15T19:55:36Z"},{"import_time":"2026-06-15T22:45:32.258478824Z","sha256":"7eb3715b5028be7e4532249383252c9143399fbb19dc222652dfa561b917f906","source":"kam193","id":"pypi/2026-06-easyaillm/ezllmgen","versions":["2.21"],"modified_time":"2026-06-14T08:53:49.912987Z"}],"iocs":{"urls":["https://pastebin.com/raw/hEF5HaFc","https://pastebin.com/raw/yBcUM1QBs","https://pastebin.com/raw/yBcUM1QB","http://fixars.top"],"domains":["fixars.top"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/1a5beab4a6facb46b4afc5f8526e1327e6c7d740ccaf34c6a921ac18eff29427/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/4c99c8edfc4444f46932f14afccb2952a3850df765765f9ac793d69f318c192f/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0649f50ead3695f41c1243883200bdb775410bcd8c8fb88277740a625a154e25"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/ezllmgen"},{"type":"PACKAGE","url":"https://pypi.org/project/EzLLMGen/2.21/"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/926e8f1a7f349ff1eef31f89fa8ffe265c30b92e310e8bea19962d38f8c32129"}],"affected":[{"package":{"name":"ezllmgen","ecosystem":"PyPI","purl":"pkg:pypi/ezllmgen"},"versions":["2.21"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ezllmgen/MAL-2026-5769.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"a1116713ce87bc9562f680404826a810f91197571751d447783c435c7f742e0ceb34ac","sha256":"71ffc28d340e55d27f569721db44c8678f0b5a6cc7b2ccbe7d54eb78419d479d","path":"setup.py"},{"tlsh":"a2e0261436c69db676f34a880d08e223c526c26949c8340de8f60aca935e16e43bd039","sha256":"f2dd1e8f1179d09e5c34266839f243ab2ccc96315842cb29261d4ab060322feb","path":"PKG-INFO"}],"package_integrity":[{"hashes":{"blake2b_256":"e76e3420ece799dd21d71dd756abbbbd3995c5938d1cda92d09ee76cb16d93b3","sha256":"bbf72ad4f303365b4e20a0f309f83d7cdecdc35d4122926cc062462b7066a385","md5":"caca95a2216c9b82a3533bcbb70538d0"},"filename":"ezllmgen-2.21.tar.gz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}