{"id":"MAL-2026-6489","summary":"Malicious code in extra-huggingface (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c76a4e01b00801049375b9e60419bfba79f9b0afbb02aab5b4117f989296c5d3)\nThe package presents itself as part of the Hugging Face ecosystem but actually ships a remote-access agent. `extra_huggingface/__init__.py` re-exports `run_agent`, `run_task`, `agent_info`, and a `persistence` primitive from a bundled 8.5 MB Windows PE module `extra_huggingface/_native.pyd`. The CLI hardcodes `DEFAULT_SERVER = \"http://91.92.40.212:8080\"` and provides subcommands `run`, `install-autostart`, `remove-autostart`, and `autostart-status`. When invoked, `run_agent(server=...)` polls the attacker-controlled server at 91.92.40.212:8080 and dispatches tasks delivered by that server on the installer's machine; `install_autostart()` calls the native `persistence(\"install\", server)` to register the agent for execution after login/boot so the C2 connection survives reboot. The actual networking, command dispatch, and persistence logic live in the opaque native binary, with the Python layer acting as a thin shim. The package name impersonates the popular `huggingface`/`huggingface_hub` namespace while the metadata homepage is the placeholder `github.com/example/extra_huggingface`, consistent with a typosquat lure targeting ML developers.\n\n## Source: kam193 (4ebe54bed2c64bd1c1da46c59e7f1c4bb35b0ca64f9bbe5529c63a7a82eaef7c)\nWhen starting the module, package activates RAT-capabilities, which includes exfiltrating sensitive data. Though the package is claimed to be for educational usage, the name and default actions suggest different intentions.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-extra-huggingface\n\n\nReasons (based on the campaign):\n\n\n - rat\n\n\n - exfiltration-browser-data\n\n\n - typosquatting\n\n\n - native-extension\n\n\n - persistence\n\n\n - infostealer\n","modified":"2026-06-26T01:16:24.790286709Z","published":"2026-06-25T22:49:25Z","database_specific":{"iocs":{"ips":["91.92.40.212"],"urls":["http://91.92.40.212:8080"]},"malicious-packages-origins":[{"id":"pypi/2026-06-extra-huggingface/extra-huggingface","modified_time":"2026-06-25T22:49:25.965933Z","import_time":"2026-06-25T23:38:17.423588537Z","sha256":"4ebe54bed2c64bd1c1da46c59e7f1c4bb35b0ca64f9bbe5529c63a7a82eaef7c","source":"kam193","versions":["0.4.0"]},{"id":"IN-MAL-2026-007575","source":"amazon-inspector","versions":["0.4.0"],"sha256":"c76a4e01b00801049375b9e60419bfba79f9b0afbb02aab5b4117f989296c5d3","import_time":"2026-06-26T00:59:26.009043144Z","modified_time":"2026-06-26T00:43:07Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/extra-huggingface"},{"type":"PACKAGE","url":"https://pypi.org/project/extra-huggingface/0.4.0/"}],"affected":[{"package":{"name":"extra-huggingface","ecosystem":"PyPI","purl":"pkg:pypi/extra-huggingface"},"versions":["0.4.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"extra_huggingface/cli.py","tlsh":"34410344ac5718220fc7869d6c646a1543316e43090ff81cbaec26a42f5f53ba1e76fd","sha256":"f963ba3f6ad8758b299c115e0bce66d057a6795bae30a0b7d4564a67e2f1a751"},{"path":"extra_huggingface/__init__.py","tlsh":"8d114cc6f47bac734fed93691043a751a7f409934d59a438f6fb11a81b0b02a42620fd","sha256":"ac7f9cb22d5703432dc0feff4f38c88b5c6ed153deff2a1e676d83ff687d1eda"},{"tlsh":"4b01968304c95ef42fd3090b625c4d0588324e69564f18dcb9fa8a1fd592ab3403c17c","path":"extra_huggingface-0.4.0.dist-info/METADATA","sha256":"ac9ec40e2851c24013c60547d4cff27fd0b961c9075dcb15b45fb6797c9308c5"}],"package_integrity":[{"filename":"extra_huggingface-0.4.0-cp311-abi3-win_amd64.whl","hashes":{"md5":"07c2a15a40f42805105d91f472846b25","blake2b_256":"b39ec67d44f1406eb81753375ec21012a4837b1eebd4460dc1b896aa772e1ae8","sha256":"f8fd7fb9d5f2f750edef61cd4840f19e2505e2cf9efed8e60c8ad720e33afeac"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/extra-huggingface/MAL-2026-6489.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}