{"id":"MAL-2026-5876","summary":"Malicious code in temp-development-package-test (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878)\nStarting with version 0.4, package installs a sitecustomize.py that executes during Python engine initialization. The embeded code uses mshta to download malicious code, as in other packages from the campaign.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-easyaillm\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - malware\n\n\n - tool:mshta\n","modified":"2026-06-17T10:00:59.185135282Z","published":"2026-06-16T09:48:43Z","database_specific":{"iocs":{"urls":["https://pastebin.com/raw/hEF5HaFc","https://pastebin.com/raw/yBcUM1QBs","https://pastebin.com/raw/yBcUM1QB","http://fixars.top","https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe","http://62.60.226.243/public_files/98r4aXA.txt","http://62.60.226.243/public_files/16sas.jpg?12711313"],"domains":["fixars.top"]},"malicious-packages-origins":[{"sha256":"e3c86f2cd8d50f754a3ad16c1daeda56d43f655d6025fa24c7fa91bcbdfd84dc","source":"kam193","import_time":"2026-06-16T10:17:17.181851951Z","versions":["0.1","0.2","0.3","0.4"],"modified_time":"2026-06-16T09:48:43.333965Z","id":"pypi/2026-06-easyaillm/temp-development-package-test"},{"versions":["0.1","0.2","0.3","0.4"],"source":"kam193","import_time":"2026-06-16T12:17:04.382979281Z","sha256":"dcb57e25c8993eacafd70b6d4add3460419c7f2c7083ee50397700f1e1238d4c","modified_time":"2026-06-16T09:48:43.333965Z","id":"pypi/2026-06-easyaillm/temp-development-package-test"},{"sha256":"5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878","source":"kam193","import_time":"2026-06-17T09:49:36.178013694Z","versions":["0.1","0.2","0.3","0.4"],"modified_time":"2026-06-16T09:48:43.333965Z","id":"pypi/2026-06-easyaillm/temp-development-package-test"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/1a5beab4a6facb46b4afc5f8526e1327e6c7d740ccaf34c6a921ac18eff29427/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/4c99c8edfc4444f46932f14afccb2952a3850df765765f9ac793d69f318c192f/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0649f50ead3695f41c1243883200bdb775410bcd8c8fb88277740a625a154e25"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/926e8f1a7f349ff1eef31f89fa8ffe265c30b92e310e8bea19962d38f8c32129"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/temp-development-package-test"}],"affected":[{"package":{"name":"temp-development-package-test","ecosystem":"PyPI","purl":"pkg:pypi/temp-development-package-test"},"versions":["0.1","0.2","0.3","0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/temp-development-package-test/MAL-2026-5876.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}