{"id":"MAL-2026-5840","summary":"Malicious code in testpackagemanyhttpsgo (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (336f39e218fe5b5a09ef8ee7757efa7a0ca73c0fe6571bc232d735448499a950)\nAt install time, setup.py fetches https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe via urllib, writes the response to disk, and executes it with `os.system(\"cmd /c start 6a306c5f03a52.exe\")`. tmpfiles.org is an anonymous, throwaway file-hosting service; the URL is unpinned and unverified, the payload is an opaque Windows executable, and the package's metadata (author and description both equal to the package name) is placeholder content consistent with a throwaway publisher account. Any Windows host running `pip install` for this package will fetch and execute attacker-controlled bytes automatically, with no opt-in or verification.\n\n## Source: kam193 (d330f7ba94bdfb53c05235fa9b278688ada43c2fe207ccc51e977afbc227333c)\nDuring installation, the code attempts to download and start a malicious executable.\n\nLikely related to 2025-08-raknet-testing-package.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-easyaillm\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - malware\n\n\n - tool:mshta\n","modified":"2026-06-17T10:00:59.246619551Z","published":"2026-06-15T22:00:38Z","database_specific":{"malicious-packages-origins":[{"source":"kam193","versions":["2.26"],"modified_time":"2026-06-15T22:00:40.18636Z","sha256":"e58c0178b75445617a5eb6ea340e797c86e324d07063e57b9fc4d3eaa5e2c0d9","import_time":"2026-06-15T22:45:32.267135758Z","id":"pypi/2026-06-easyaillm/testpackagemanyhttpsgo"},{"sha256":"336f39e218fe5b5a09ef8ee7757efa7a0ca73c0fe6571bc232d735448499a950","versions":["2.26"],"modified_time":"2026-06-16T02:55:47Z","source":"amazon-inspector","import_time":"2026-06-16T03:49:20.022421071Z","id":"IN-MAL-2026-006743"},{"source":"kam193","versions":["2.26"],"modified_time":"2026-06-15T22:00:40.18636Z","sha256":"559b34e692c8774c8d4e07cda7c26abefcb40c559158bbdf0179710702ddcca4","import_time":"2026-06-16T10:17:17.182692618Z","id":"pypi/2026-06-easyaillm/testpackagemanyhttpsgo"},{"source":"kam193","versions":["2.26"],"modified_time":"2026-06-15T22:00:40.18636Z","sha256":"d330f7ba94bdfb53c05235fa9b278688ada43c2fe207ccc51e977afbc227333c","import_time":"2026-06-17T09:49:36.178896005Z","id":"pypi/2026-06-easyaillm/testpackagemanyhttpsgo"}],"iocs":{"urls":["https://pastebin.com/raw/hEF5HaFc","https://pastebin.com/raw/yBcUM1QBs","https://pastebin.com/raw/yBcUM1QB","http://fixars.top","https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe"],"domains":["fixars.top"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/1a5beab4a6facb46b4afc5f8526e1327e6c7d740ccaf34c6a921ac18eff29427/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/4c99c8edfc4444f46932f14afccb2952a3850df765765f9ac793d69f318c192f/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0649f50ead3695f41c1243883200bdb775410bcd8c8fb88277740a625a154e25"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/926e8f1a7f349ff1eef31f89fa8ffe265c30b92e310e8bea19962d38f8c32129"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/testpackagemanyhttpsgo"},{"type":"PACKAGE","url":"https://pypi.org/project/TestPackageManyHttpsGo/2.26/"}],"affected":[{"package":{"name":"testpackagemanyhttpsgo","ecosystem":"PyPI","purl":"pkg:pypi/testpackagemanyhttpsgo"},"versions":["2.26"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/testpackagemanyhttpsgo/MAL-2026-5840.json","indicators":{"package_integrity":[{"filename":"testpackagemanyhttpsgo-2.26.tar.gz","hashes":{"sha256":"5b1d23e716f32c271d330edb7b12bd3e6a439d01404c83e67e67ee4d121287be","md5":"9f36a52c008332882b77f33a948cbe36","blake2b_256":"9041efb88eb13129da361eb0252fd252089f4e47bdca31a8534f712d18b707f9"}}],"evidence_files":[{"sha256":"4d222f40c5eb66ef90be09fc28859ca74c0c9279ed84c35f145a8337676a7cd5","path":"setup.py","tlsh":"071123538cd6621990b0484099305425faa6e35f6b10c4c7b03d432c7ff88a185a7458"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}