{"id":"MAL-2026-6558","summary":"Malicious code in fsociety-tools (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (88731d75288f663967fc64dde12b04eb43a2eb3d4113486bf35b1cf3d89ae537)\nOn import, fsociety_tools/__init__.py loads tokens.py, which at module load time instantiates TokenManager(). The constructor concatenates eight large string chunks, base64-decodes the result, XOR-decrypts the bytes with key 66, writes the decoded Windows executable to %TEMP%\\fsociety.tmp, and launches it via subprocess.Popen with shell=True and creationflags=0x08000000 (CREATE_NO_WINDOW) so no console window appears. The surrounding TokenManager/validate_token/TokenAPI scaffolding and the package's self-description as 'Security and penetration testing utilities for ethical hackers' (with a Mr. Robot themed author identity) are cover for the dropper: the advertised CLI only prints fake Discord-shaped tokens, while the real effect of `import fsociety_tools` (or invoking the installed `fsociety` console script, which imports the package) is materialization and silent execution of an opaque embedded PE on Windows. Splitting the payload across multiple variables, base64+XOR encoding, hidden-window execution, and a decoy benign API together constitute an unambiguous import-time binary dropper.\n\n## Source: kam193 (a6cc8226dddc34465de607c5b458e927a11942543cc17b30a5ca125abce2e81b)\nDuring import, package executes the embedded executable. It is an infostealer named internally as \"NBSteal\", focused on exfiltrating data from browsers, Telegram, Discord, Roblox and other gaming platforms, and other credentials.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-discord-token-generator\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - files-exfiltration\n\n\n - obfuscation\n\n\n - exfiltration-browser-data\n\n\n - malware\n\n\n - target:telegram\n\n\n - exfiltration-credentials\n","modified":"2026-06-29T07:16:42.992037278Z","published":"2026-06-28T11:03:41Z","database_specific":{"iocs":{"urls":["https://nbbtest.bnfdkfq156.workers.dev/"],"domains":["nbbtest.bnfdkfq156.workers.dev"]},"malicious-packages-origins":[{"id":"pypi/2026-06-discord-token-generator/fsociety-tools","sha256":"a6cc8226dddc34465de607c5b458e927a11942543cc17b30a5ca125abce2e81b","versions":["1.0.0","1.0.1","1.0.2"],"modified_time":"2026-06-28T11:03:41.542036Z","source":"kam193","import_time":"2026-06-28T11:37:31.068682642Z"},{"id":"IN-MAL-2026-007755","sha256":"f49bb412c3e105392fa2cd4c245f0ea81b26b2b7bfaa5f5804df48e745e2a97d","versions":["1.0.1"],"modified_time":"2026-06-29T05:50:28Z","source":"amazon-inspector","import_time":"2026-06-29T07:09:10.228790657Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"id":"IN-MAL-2026-007754","sha256":"88731d75288f663967fc64dde12b04eb43a2eb3d4113486bf35b1cf3d89ae537","versions":["1.0.0"],"modified_time":"2026-06-29T05:50:17Z","source":"amazon-inspector","import_time":"2026-06-29T07:09:10.158145401Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/c31597963a8e83fc068a70a6187abc4d8fb1a67b318fc20aebb298ad97377783/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/fsociety-tools"},{"type":"PACKAGE","url":"https://pypi.org/project/fsociety_tools/1.0.1/"},{"type":"PACKAGE","url":"https://pypi.org/project/fsociety_tools/1.0.0/"}],"affected":[{"package":{"name":"fsociety-tools","ecosystem":"PyPI","purl":"pkg:pypi/fsociety-tools"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.0","1.0.1","1.0.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fsociety-tools/MAL-2026-6558.json","indicators":{"evidence_files":[{"path":"fsociety_tools/tokens.py","sha256":"e20b006099ef352ca8b4d2e7f01a3e33342e7bff5a6025b5e294ad81865d37ee","tlsh":"c9731973e905036bdb1e01455eb4cf5fa4522722f202ddd8390a38999ffe66f12e482b"},{"path":"setup.py","sha256":"90eb6152f3dac7638ad0beaa0f92305e782632abc3113ba2e21ed08029e87e07","tlsh":"0911544ac5a8adb412d2c1562c6599ae45f9e4172fae30cc739c42082f4d2ff537615d"}],"package_integrity":[{"filename":"fsociety_tools-1.0.1-py3-none-any.whl","hashes":{"sha256":"96a3a7368a87257d1bda9ba05a42a06a40e877bd6ab40b341418056ff8cfa263","blake2b_256":"c8e11549dd5d6f30eea6a9811dc46842ca6a3b99b59c7c4dd1853ba5e9cc0078","md5":"db971f2f5a5eed4d5b729af9e756fcbe"}},{"filename":"fsociety_tools-1.0.1.tar.gz","hashes":{"sha256":"aea3fdeee76170028e9a07d29d519eb79c629e895840e35c0b86e8f97f4d024f","blake2b_256":"274098413e3efd8f7d2f40a47a505fa1dc90c65580f597ff2d23a07a2a9bf704","md5":"11926a0751e0012919e32c2a15195589"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}