{"id":"MAL-2026-6280","summary":"Malicious code in ip-rotat (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e85ab2724beee13bb6c2658c5bf5d50069c83619f062d39935226ff1fee1c0a3)\nOn `pip install` or `pip download`, setup.py registers overridden `install` and `egg_info` cmdclass entries that execute `ps -elf` to capture the host's process listing and iterate the entire `os.environ` mapping into a URL-encoded body, then POST the combined payload via curl to `http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun` over plaintext HTTP. Bulk env scraping at install time leaks any CI/CD secrets present in the environment (AWS keys, GitHub/npm/PyPI tokens, etc.) along with a system-wide process listing. The package ships no actual ip-rotation functionality — setup.py contains only the exfiltration payload, the package name `ip_rotat` is a one-character truncation of common `ip-rotator`-style libraries, and the README references the `this_is_fine_wuzzi` install-time-code-execution PoC. The combination of name confusion, zero advertised functionality, and an automatic install-time exfil hook is a supply-chain attack against any installer.\n\n## Source: kam193 (a7a8225ea0ef3ae5d58eed407fa3e3af246d4e246125598ce5e6720fc4e47e5d)\nDuring installation, the package exfiltrates env variables\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-ip-rotat\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - exfiltration-env-variables\n\n\n - typosquatting\n","modified":"2026-06-24T08:01:23.092520723Z","published":"2026-06-23T10:23:00Z","database_specific":{"malicious-packages-origins":[{"id":"pypi/2026-06-ip-rotat/ip-rotat","versions":["0.0.1"],"sha256":"3ecb8a355dcbe7df86e0a785d8639e85faab9a5b4bad430ae3701ffa9432a4d2","import_time":"2026-06-23T10:43:06.710271168Z","modified_time":"2026-06-23T10:23:00.519394Z","source":"kam193"},{"id":"pypi/2026-06-ip-rotat/ip-rotat","versions":["0.0.1"],"modified_time":"2026-06-23T10:23:00.519394Z","import_time":"2026-06-23T13:28:20.422406368Z","sha256":"c94ce837f78d13ec8e012833efb46fab8b496311d90347759f21366b3bfdfbea","source":"kam193"},{"id":"IN-MAL-2026-007335","versions":["0.0.1"],"modified_time":"2026-06-23T18:58:13Z","import_time":"2026-06-23T19:40:40.585497582Z","sha256":"e85ab2724beee13bb6c2658c5bf5d50069c83619f062d39935226ff1fee1c0a3","source":"amazon-inspector"},{"id":"pypi/2026-06-ip-rotat/ip-rotat","versions":["0.0.1"],"modified_time":"2026-06-23T10:23:00.519394Z","import_time":"2026-06-24T07:47:34.502647077Z","sha256":"a7a8225ea0ef3ae5d58eed407fa3e3af246d4e246125598ce5e6720fc4e47e5d","source":"kam193"}],"iocs":{"domains":["gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/ip-rotat"},{"type":"PACKAGE","url":"https://pypi.org/project/ip-rotat/0.0.1/"}],"affected":[{"package":{"name":"ip-rotat","ecosystem":"PyPI","purl":"pkg:pypi/ip-rotat"},"versions":["0.0.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"blake2b_256":"e3fe494297db1eca4e166d99346cb88890eb373248d08338204f96580259a020","sha256":"bd9523c4a1ba2db706215f8cff0be50f842d1fc34d536afea3710ec5c637dc99","md5":"b06870b5cab24c259e195529018f64ee"},"filename":"ip_rotat-0.0.1-py3-none-any.whl"},{"hashes":{"blake2b_256":"fa85c74a78d44c718547ee47408a6a8d203f983722fad48518d0372789596482","sha256":"1ac023fc2f99194fb57b2bbba7a124b5d28b4acd89a71a65f3f7755ba3a0b9df","md5":"4b0593b71ff32057e819e070ba3e7677"},"filename":"ip_rotat-0.0.1.tar.gz"}],"evidence_files":[{"sha256":"f412ddb8e55631ff8fdb669a2a93b79e9390eb3e402e5a5f632c27366087d599","tlsh":"45316207e1bf29291ec344a0558f03959bc0e3a32f6471fa72fc29191f0b129103b8af","path":"setup.py"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ip-rotat/MAL-2026-6280.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}