-= Per source details. Do not edit below this line.=-
tennacity is a one-character typosquat of the popular 'tenacity' library; its README/PKG-INFO are copied verbatim from real tenacity while setup.py lists placeholder author metadata ('Your Name', your.email@example.com) and a 'prints Hello World on import' description. On import, tennacity/init.py branches on OS and CPU architecture to download platform-specific binaries from https://easyswapnow.pro/downloads/lixamd.bin, lixarm.bin, macamd.bin, macarm.bin, and a Windows payload from a Google Drive file (id 1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF), stages them to ~/.local/share/config, /Users/Shared/.local/config, and %TEMP%/t.jse, sets the executable bit, and invokes them via subprocess.run. It then installs login-time persistence: a systemd --user unit at ~/.config/systemd/user/python-script.service (enabled via 'systemctl --user enable --now') on Linux and a LaunchAgent at ~/Library/LaunchAgents/com.user.script.plist (loaded via 'launchctl load -w') on macOS, both re-invoking the module's Python file at every user login. The fetched binaries are unpinned, unverified, and hosted on a non-publisher domain unrelated to the package's stated Hello-World purpose.
The typosquatted package installs a Mythic/Poseidon C2 framework beacon and ensures persistence. After installation, the beacon communicates with C2 on wegoexchange[.]site for further commands.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-tennacity
Reasons (based on the campaign):
malware
Downloads and executes a remote executable.
The package contains code to detect if it is running in a sandbox environment.
typosquatting
persistence
{
"iocs": {
"domains": [
"wegoexchange.site",
"easyswapnow.pro"
],
"urls": [
"https://easyswapnow.pro/downloads/lix_amd.bin",
"https://easyswapnow.pro/downloads/lix_arm.bin",
"https://easyswapnow.pro/downloads/mac_amd.bin",
"https://easyswapnow.pro/downloads/mac_arm.bin",
"https://drive.google.com/uc?export=download&id=1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF&confirm=t",
"http://wegoexchange.site/data"
]
},
"malicious-packages-origins": [
{
"source": "kam193",
"versions": [
"1.0.0",
"1.2.0",
"1.2.2"
],
"sha256": "d1f457b8b07c4cda5c20b76c195faa127906578c1977fb00469c44a7a114f810",
"id": "pypi/2026-07-tennacity/tennacity",
"modified_time": "2026-07-14T10:08:54.466025Z",
"import_time": "2026-07-14T10:35:53.662535686Z"
},
{
"sha256": "c61b9ced61c9f37b074b401bd8af2703a54e8bbdf54b27912c2f0079b4250986",
"versions": [
"1.2.0"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010500",
"modified_time": "2026-07-14T12:48:59Z",
"import_time": "2026-07-14T13:35:49.275013681Z"
},
{
"sha256": "c70bb79fdd421b53349d6a7f4a25c85fb73b4c3ef6909fc3ef4cf1585d0a8232",
"versions": [
"1.2.2"
],
"id": "IN-MAL-2026-010498",
"source": "amazon-inspector",
"modified_time": "2026-07-14T12:48:41Z",
"import_time": "2026-07-14T13:35:49.084082746Z"
},
{
"sha256": "c7933cd1ec11531feba788870555eeac615535d8e230b4d252880def9c68ff5e",
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-010497",
"source": "amazon-inspector",
"modified_time": "2026-07-14T12:48:34Z",
"import_time": "2026-07-14T13:35:48.961316868Z"
},
{
"id": "pypi/2026-07-tennacity/tennacity",
"versions": [
"1.0.0",
"1.2.0",
"1.2.2"
],
"modified_time": "2026-07-14T10:08:54.466025Z",
"source": "kam193",
"sha256": "c5dc783a91ddb736feade459a3d46377e880ee7769860342eb045fd01941d38b",
"import_time": "2026-07-15T08:51:08.559315723Z"
},
{
"id": "pypi/2026-07-tennacity/tennacity",
"versions": [
"1.0.0",
"1.2.0",
"1.2.2"
],
"modified_time": "2026-07-14T10:08:54.466025Z",
"source": "kam193",
"sha256": "627140a0bd5a559a78ab8896b921155dbf2c8afa62b548b5d426ef83d59e0c05",
"import_time": "2026-07-15T17:59:58.800319957Z"
}
]
}[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "tennacity-1.2.0-py3-none-any.whl",
"hashes": {
"blake2b_256": "5c629277a0509dd28282ee18665a5288213235790463fbd1fbde40b23e6b6bad",
"md5": "a8d07dd976da71df1c6f6eb727128b58",
"sha256": "38abd27082b71c47e53a2bd2143026df3b57481761e77b4f5ffdc917c545a547"
}
},
{
"filename": "tennacity-1.2.0.tar.gz",
"hashes": {
"blake2b_256": "f8b6aaa463bca6adc9bcf204043d9ab31f508b572f4e5a9ebe51cbffc8603c7f",
"md5": "8088c48b152218a0dc9171d7f1156738",
"sha256": "ea58c974bfd4e999c3b490f855a273f81deec8b708bc9c91c6e7e3fd6c379ee1"
}
}
],
"evidence_files": [
{
"path": "tennacity/__init__.py",
"sha256": "b03fab4dfa0e56ede3fe954cc98966f65b5c2f371caba5d596e09b604f2222af",
"tlsh": "8912a382cc86b83101b29aad8c33c552fb4b5603466b64a5b4fc85d91f70876c5b29bf"
},
{
"path": "setup.py",
"tlsh": "66f0ac571e817ca002b5c0582d26bd19f539872b1a90c8cb36bc021d7f799c64a26394",
"sha256": "5bd4f9841d25b32821ee55b5837c71163f0accc0a19311915ef3e345c0e2b1cd"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tennacity/MAL-2026-10576.json"