-= Per source details. Do not edit below this line.=-
The package presents itself as a.env loader but on load()/config() spawns a background thread that, after a 72–96 hour activation delay jittered by hostname hash, decodes base64-obfuscated dead-drop URLs (a GitHub gist under opensource-crypto and a GitLab snippet under devtool-labs/config-snippets) to retrieve a JSON C2 configuration (host, port, path, fallback) and POSTs collected data to https://{c2}:{port}{path}. Data collected includes host/environment identity, environment variables whose names contain key/secret/token/password/auth/private/wallet/seed/mnemonic, and an enumeration of ~/.ssh/ (idrsa, ided25519, idecdsa, config, knownhosts). The C2 URLs are stored as base64 literals in CONFIGSOURCES with cover comments describing them as documentation examples, hiding the network destinations from plain-text inspection. The long dormancy, remote-configurable destination, base64-obfuscated dead drops, and cover comments together are the shape of a staged supply-chain credential stealer.
When using the library, it schedules a delayed malware activation. Malicious code contacts remote URLs to get C2 location, then performs machine fingerprinting, including looking for sensitive environmental variables and SSH keys. The code seems not to exfiltrate their content in the analyzed version. Additionally, the embeded configuration URLs did not exist, but they led to related C2 configurations from the same GitHub account, which also seems to have created repositories with similar malicious code in other languages.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-fast-dotenv
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
exfiltration-env-variables
exfiltration-ssh-keys
action-hidden-in-lib-usage
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"id": "pypi/2026-07-fast-dotenv/fast-dotenv",
"import_time": "2026-07-12T22:20:10.22302008Z",
"sha256": "cc334bd438168239b92c3ca3bbaaeeeab56e9b325efa8e7be20ef87356e4f638",
"modified_time": "2026-07-12T21:59:58.034886Z",
"source": "kam193"
},
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-009792",
"import_time": "2026-07-13T04:43:12.919477934Z",
"sha256": "da3250a4b69ccce49128d2e75ffb9e577746de4fb3afe0e0d242fbe5d094d02d",
"modified_time": "2026-07-13T04:16:23Z",
"source": "amazon-inspector"
}
],
"iocs": {
"domains": [
"c2.fanaccesshub.com"
]
}
}{
"evidence_files": [
{
"sha256": "3d96109552544fc096eb9634d73a1f4cf5ecb7996522a5d2733d891d83234a9b",
"tlsh": "69b16457a8213863e293556e819785a0237b7947ae02693cbc9ca3680f8d779c1b237d",
"path": "fast_dotenv/_internal.py"
}
],
"package_integrity": [
{
"filename": "fast_dotenv-1.0.0-py3-none-any.whl",
"hashes": {
"md5": "39101ba2f61456280815a29c357c810f",
"sha256": "e8343687e380b9d19d2019534b672dac9dd9364830a7949fb0b0720e7e16480b",
"blake2b_256": "9f331328f552409e28ca58536c7b963c8da3fee7c5308c7c0d617a6698a23874"
}
},
{
"filename": "fast_dotenv-1.0.0.tar.gz",
"hashes": {
"md5": "9ca90a62f1d21ee2bb1961cbafb27b0c",
"sha256": "ad52ee4a95bd33f8f06b923173b93d644f29468b9f0b419fd285cc4e08056384",
"blake2b_256": "8d48d0f35835077d800b679603eef77674fecf76193ba4056d72db1312c0ede1"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fast-dotenv/MAL-2026-10215.json"