{"id":"MAL-2026-6752","summary":"Malicious code in confighub (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (7c0b6d6eae8eecdf0317e7d4c624ff2a1eee1ca58c92c6b4fac34dd2567f4556)\nThis package depends on malicious 'procwire', which starts malicious actions during installation.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-07-procwire\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - The malicious code is intentionally included in a dependency of the package\n\n\n - malware\n\n\n - steganography\n","modified":"2026-07-04T01:00:56.407127119Z","published":"2026-07-03T23:44:02Z","database_specific":{"iocs":{"urls":["https://gofilecdn-cf.pd1.workers.dev/w5Unkv"],"domains":["gofilecdn-cf.pd1.workers.dev"]},"malicious-packages-origins":[{"versions":["7.0.1","7.0.2"],"modified_time":"2026-07-03T23:44:02.386738Z","sha256":"7c0b6d6eae8eecdf0317e7d4c624ff2a1eee1ca58c92c6b4fac34dd2567f4556","import_time":"2026-07-04T00:45:00.56055493Z","id":"pypi/2026-07-procwire/confighub","source":"kam193"}]},"references":[{"type":"WEB","url":"https://www.virustotal.com/gui/file-analysis/ZDI5YWM0ZjAzY2VjMjYzYWRiNTA4NDE5ZmQxOWM1OTU6MTc4MzEyMDU0OA=="},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/confighub"}],"affected":[{"package":{"name":"confighub","ecosystem":"PyPI","purl":"pkg:pypi/confighub"},"versions":["7.0.1","7.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/confighub/MAL-2026-6752.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}