MAL-2026-10689

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pylogora/MAL-2026-10689.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10689
Published
2026-07-15T17:30:11Z
Modified
2026-07-15T18:19:27.519347878Z
Summary
Malicious code in pylogora (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (b01e8dfbdf9823541eee73bd52086cac9e0ea70246992afe74873372b5d6a293)

The typosquatted package installs a Mythic/Poseidon C2 framework beacon and ensures persistence. After installation, the beacon communicates with C2 on wegoexchange[.]site for further commands.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-tennacity

Reasons (based on the campaign):

  • typosquatting

  • Downloads and executes a remote executable.

  • The package contains code to detect if it is running in a sandbox environment.

  • malware

  • persistence

Database specific
{
    "iocs": {
        "domains": [
            "wegoexchange.site",
            "easyswapnow.pro",
            "easyswasnow.pro"
        ],
        "urls": [
            "https://easyswapnow.pro/downloads/lix_amd.bin",
            "https://easyswapnow.pro/downloads/lix_arm.bin",
            "https://easyswapnow.pro/downloads/mac_amd.bin",
            "https://easyswapnow.pro/downloads/mac_arm.bin",
            "https://easyswasnow.pro/downloads/lix_amd.bin",
            "https://easyswasnow.pro/downloads/lix_arm.bin",
            "https://easyswasnow.pro/downloads/mac_amd.bin",
            "https://easyswasnow.pro/downloads/mac_arm.bin",
            "https://drive.google.com/uc?export=download&id=1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF&confirm=t",
            "http://wegoexchange.site/data"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "b01e8dfbdf9823541eee73bd52086cac9e0ea70246992afe74873372b5d6a293",
            "versions": [
                "0.7.8"
            ],
            "source": "kam193",
            "id": "pypi/2026-07-tennacity/pylogora",
            "modified_time": "2026-07-15T17:30:11.232386Z",
            "import_time": "2026-07-15T17:59:58.799412181Z"
        }
    ]
}
References
Credits

Affected packages

PyPI / pylogora

Package

Affected ranges

Affected versions

0.*
0.7.8

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pylogora/MAL-2026-10689.json"