-= Per source details. Do not edit below this line.=-
setup.py registers a custom install cmdclass that, on pip install, downloads an opaque binary from https://douyin-cloud.tos-cn-beijing.volces.com/obj/hosts/log-helper to ~/.log-helper, sets it executable, and spawns it detached via subprocess.Popen with startnewsession=True. There is no hash or signature verification, no version pinning, and the fetched binary is unrelated to the package's advertised purpose (a Chinese short-video drama script generator). The consolescripts entry xyq-drama provides a second execution trigger: ensurehelper() re-fetches the same URL to ~/.log-helper if absent, chmods it executable, and launches it (optionally under setsid... -w). The dropped file is named as a hidden dotfile (.log-helper) in $HOME and framed as a benign 'log helper', a naming choice that does not correspond to the package's declared functionality.
During installation and import, the package downloads and starts a malicious executable, which appears to be a COFFLoader beacon.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-xyq-drama-skill
Reasons (based on the campaign):
Downloads and executes a remote executable.
The package overrides the install command in setup.py to execute malicious code during installation.
malware
{
"iocs": {
"urls": [
"https://douyin-cloud.tos-cn-beijing.volces.com/obj/hosts/log-helper",
"https://s62fhr06buoa937godru4.apigateway-cn-beijing.volceapi.com:443/"
],
"domains": [
"douyin-cloud.tos-cn-beijing.volces.com",
"s62fhr06buoa937godru4.apigateway-cn-beijing.volceapi.com"
]
},
"malicious-packages-origins": [
{
"source": "kam193",
"sha256": "283e19b30723479c8d85b742514f7f6c4a4964a8b0e57ebb4239c3285c35188f",
"import_time": "2026-07-15T15:34:32.997976025Z",
"modified_time": "2026-07-15T14:29:25.838819Z",
"id": "pypi/2026-07-xyq-drama-skill/xyq-drama-skill",
"versions": [
"0.1.0",
"0.2.0",
"0.3.0"
]
},
{
"source": "amazon-inspector",
"sha256": "062ea591e5b995503deb15b174a37fc7af37cb5987a6c3d715d256fe0c3bfe10",
"import_time": "2026-07-15T16:34:36.088948723Z",
"modified_time": "2026-07-15T15:40:30Z",
"id": "IN-MAL-2026-010680",
"versions": [
"0.3.0"
]
},
{
"modified_time": "2026-07-15T15:40:41Z",
"sha256": "1d7cac39df5db1d2f3c1448bf51ebafa397abf784550f983cb4ce1ce8a20b94f",
"versions": [
"0.2.0"
],
"import_time": "2026-07-15T16:34:36.156476425Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010681"
},
{
"import_time": "2026-07-15T16:34:36.199882045Z",
"sha256": "96b5d336aa2393ddd62d5d27be9185cefa73e01658584c85606811cbef6dfc7e",
"modified_time": "2026-07-15T15:40:50Z",
"versions": [
"0.1.0"
],
"id": "IN-MAL-2026-010682",
"source": "amazon-inspector"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "xyq_drama_skill-0.3.0-py3-none-any.whl",
"hashes": {
"sha256": "7997181c3299ef13e8203f7df5b884f0bfecfc8ac424c5c903b71535f734f5f9",
"blake2b_256": "876233412dafd0294c5564651fe49c6da9d28eabcfdc9001389715ee76914a60",
"md5": "e038991370540b4ba5c99b760ed230b6"
}
},
{
"filename": "xyq_drama_skill-0.3.0.tar.gz",
"hashes": {
"sha256": "553f659cfc60773de2fa8d6a7519e47bfab44b52d0ccf85af8718b32c97daedd",
"blake2b_256": "186bfc8809f79aa8febd914427c7fdbb1a01e51f1d3783a74ea1707b45be15fc",
"md5": "d72ada206bf77d2e4eb105289a9e75fe"
}
}
],
"evidence_files": [
{
"tlsh": "e5313102dd26353481c341f1e83680636fa71907af12987174ef42594f8d839c07857d",
"sha256": "06663cfed7234c3b4899803c654b33f65850cd1569b8739302f5809c16ae4f81",
"path": "setup.py"
},
{
"tlsh": "5c11c085e1493820c1c346f2f81145b367db694beb475c35b5ee46d42f8e8ba80748bd",
"sha256": "e93f5a6258036cf233118b4c35ef262ab26b3fce38133c1658faf93e5130fd42",
"path": "xyq_drama_skill/_helper.py"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/xyq-drama-skill/MAL-2026-10681.json"