MAL-2026-10643

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ethereum-input-decorder/MAL-2026-10643.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10643
Published
2026-07-15T03:52:02Z
Modified
2026-07-15T18:19:27.615121771Z
Summary
Malicious code in ethereum-input-decorder (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (94137fcf0aee7d8edb4e15a8bc9be4455fbdf79cb5bf99987b79f0393fdff62c)

The package name typosquats the legitimate 'ethereum-input-decoder'. Its top-level init.py unconditionally invokes a payload routine on import: it detects OS/arch, downloads a platform-specific binary from easyswapnow.pro (Linux/macOS builds at /downloads/lixamd.bin, lixarm.bin, macamd.bin, macarm.bin) or a Google Drive file for Windows, writes it to disk, sets the executable bit, and runs it via subprocess.run. The same import path also installs login persistence, writing ~/.config/systemd/user/python-script.service on Linux (enabled via systemctl --user enable --now) and ~/Library/LaunchAgents/com.user.script.plist on macOS (loaded via launchctl load -w), causing the dropper to re-run at every user login. setup.py ships placeholder author metadata ('Your Name', 'your.email@example.com') and a 'Hello World on import' description, contradicting the README which advertises an eth_defi demo; none of this matches the actual dropper. The destination domain easyswapnow.pro is unrelated to the advertised Ethereum-decoding purpose.

Source: kam193 (00437c563c5b7c2555d512f0066e6bdb5dc61300fd00027d1b5f0fc92a06d204)

The typosquatted package installs a Mythic/Poseidon C2 framework beacon and ensures persistence. After installation, the beacon communicates with C2 on wegoexchange[.]site for further commands.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-tennacity

Reasons (based on the campaign):

  • typosquatting

  • Downloads and executes a remote executable.

  • The package contains code to detect if it is running in a sandbox environment.

  • malware

  • persistence

Database specific
{
    "iocs": {
        "urls": [
            "https://easyswapnow.pro/downloads/lix_amd.bin",
            "https://easyswapnow.pro/downloads/lix_arm.bin",
            "https://easyswapnow.pro/downloads/mac_amd.bin",
            "https://easyswapnow.pro/downloads/mac_arm.bin",
            "https://drive.google.com/uc?export=download&id=1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF&confirm=t",
            "http://wegoexchange.site/data"
        ],
        "domains": [
            "wegoexchange.site",
            "easyswapnow.pro"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "00564c1a112d6de4089e6f15e5c4a40b7975579811424b1e4fe2aebef7486a8f",
            "versions": [
                "1.2.4"
            ],
            "id": "IN-MAL-2026-010607",
            "source": "amazon-inspector",
            "modified_time": "2026-07-15T03:52:02Z",
            "import_time": "2026-07-15T04:32:06.193585204Z"
        },
        {
            "sha256": "94137fcf0aee7d8edb4e15a8bc9be4455fbdf79cb5bf99987b79f0393fdff62c",
            "versions": [
                "1.2.2"
            ],
            "id": "IN-MAL-2026-010608",
            "source": "amazon-inspector",
            "modified_time": "2026-07-15T03:52:12Z",
            "import_time": "2026-07-15T04:32:06.32566024Z"
        },
        {
            "sha256": "00437c563c5b7c2555d512f0066e6bdb5dc61300fd00027d1b5f0fc92a06d204",
            "versions": [
                "1.2.2",
                "1.2.4"
            ],
            "source": "kam193",
            "id": "pypi/2026-07-tennacity/ethereum-input-decorder",
            "modified_time": "2026-07-15T07:23:55.052647Z",
            "import_time": "2026-07-15T08:51:08.558076785Z"
        },
        {
            "id": "pypi/2026-07-tennacity/ethereum-input-decorder",
            "versions": [
                "1.2.2",
                "1.2.4"
            ],
            "modified_time": "2026-07-15T07:23:55.052647Z",
            "source": "kam193",
            "sha256": "381c2db4c332b204ea25dcf08e4930a5f291918377816fa7305b68e3cd26134e",
            "import_time": "2026-07-15T17:59:58.79698792Z"
        }
    ]
}
References
Credits

Affected packages

PyPI / ethereum-input-decorder

Package

Name
ethereum-input-decorder
View open source insights on deps.dev
Purl
pkg:pypi/ethereum-input-decorder

Affected ranges

Affected versions

1.*
1.2.2
1.2.4

Database specific

cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "ethereum_input_decorder-1.2.4-py3-none-any.whl",
            "hashes": {
                "blake2b_256": "9c42ce51a2c51605b114faf29bdf3ff7213572b9ae101b9069899dfa9cd652ce",
                "md5": "0cedbd81c2f7b0ac8c0654df3eb1e716",
                "sha256": "0c9106b52cdc5e8b050212060b2f0ded1a22f247d2bc170f9539c8059035c913"
            }
        },
        {
            "filename": "ethereum_input_decorder-1.2.4.tar.gz",
            "hashes": {
                "blake2b_256": "01d47e2b82610c84c004dec4a7e70a567862df1534601349ba76cc3a16d9f25b",
                "md5": "9133c416d45871062b1767daa17b5eff",
                "sha256": "d48fa377fbe06563c77b6fa945d6335d450b28d88a3ae05c2d5bd60d2dc3ae82"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "ethereum_input_decorder/__init__.py",
            "sha256": "1eec8391f36646f98e1767e279e260ea4bb2cf9f6fbb5f6a90f2f334d2e8784e",
            "tlsh": "1d0283d7cc8ae03141f292a94d33d592fb86a243165758a6b9fc89842f70c76c4b297f"
        },
        {
            "path": "setup.py",
            "tlsh": "83f002475e807cf002b8c4182c227d18f135471b1b90c88732bc024d7f396c50b2a384",
            "sha256": "ac2507b1b3de5940d5f71fee42167609b13a6a2882d81176fa9c07ba41146465"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ethereum-input-decorder/MAL-2026-10643.json"