{"id":"MAL-2026-6488","summary":"Malicious code in pyext6cc8cd (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f98319eaa02d50e8a098d9cfaaca054df5acc8238dd08b2e24899f700e029a07)\nOn `pip install`, setup.py decodes a hex string via `bytes.fromhex(\"6f70656e202d612043616c63756c61746f72\").decode().split()` to the argv `open -a Calculator` and executes it through `subprocess.Popen` before `setuptools.setup()` is called. The command runs unconditionally as part of the install lifecycle. The package metadata is placeholder (Author, Home-page, and Description are all 'UNKNOWN') and the package ships no functional code, so this is a proof-of-concept / test artifact demonstrating arbitrary install-time command execution. While the decoded payload here only opens macOS Calculator, the hex obfuscation of the argv is a deliberate technique to evade scanners that grep setup.py for literal command strings, and the same primitive trivially swaps to a destructive or exfiltration payload. Installers should treat this version as untrusted install-time code execution.\n","modified":"2026-06-25T23:16:24.389063043Z","published":"2026-06-25T22:45:45Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-25T23:00:34.943587111Z","modified_time":"2026-06-25T22:45:45Z","source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-007566","sha256":"f98319eaa02d50e8a098d9cfaaca054df5acc8238dd08b2e24899f700e029a07"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/pyext6cc8cd/1.0.0/"}],"affected":[{"package":{"name":"pyext6cc8cd","ecosystem":"PyPI","purl":"pkg:pypi/pyext6cc8cd"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyext6cc8cd/MAL-2026-6488.json","indicators":{"package_integrity":[{"hashes":{"blake2b_256":"5329c96214c672eb2d3eeacb316f7000f93cb84d0396e853b55d17aa52b5cd19","sha256":"74e9e3f93c39a9e43e1dd44b2325a0efac64594ca200265ee0173432799558c2","md5":"055eed3d1f38d187dc43875a71cd0e18"},"filename":"pyext6cc8cd-1.0.0.tar.gz"}],"evidence_files":[{"sha256":"94e6e11ef84a7100db3ea720d1cd2e7907e279b4d7a1494eb636794616c5ad11","path":"setup.py","tlsh":"f6c022924927eaf920bcc2f80e8040e12e34aa151b03ca681a4627a2038e0b0ae18044"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}