MAL-2026-3687

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crazehub/MAL-2026-3687.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3687

Published

2026-05-12T07:43:40Z

Modified

2026-05-13T20:22:37.639310Z

Summary

Malicious code in crazehub (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (53d37c0e75f63e9da7adcc1f71f8b67a665d080342df6857a15dadc297e4f075)

crazehub/init.py performs multiple user-hostile actions at import time. Lines 2-3 unconditionally run os.system("pip install phonenumbers") and os.system("clear"), silently mutating the installer's Python environment and spawning shell commands without consent. Lines 18-26 fetch https://pastebin.com/raw/jkFG4kpy via urllib.request.urlopen to retrieve an author-mutable token list, then gate execution via an interactive input('>> ') prompt and sys.exit(0) on mismatch — breaking CI/automation and establishing a live, attacker-mutable remote-content channel that can be repurposed at any time. The package also captures hostname/IP and base64-encodes the IP (currently written only locally, but one paste-edit away from exfiltration). Metadata is placeholder (url='https://google.com', generic description). Any of import-time pip install, import-time shell exec, or mutable remote content driving control flow is independently sufficient to block; all three together make this a clear install/import-time RCE surface on the installer.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002340",
            "import_time": "2026-05-13T20:10:56.148358065Z",
            "sha256": "53d37c0e75f63e9da7adcc1f71f8b67a665d080342df6857a15dadc297e4f075",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "3.6.0"
            ]
        }
    ]
}

References

https://pypi.org/project/crazehub/3.6.0/

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

PyPI / crazehub

Package

Name: crazehub; View open source insights on deps.dev
Purl: pkg:pypi/crazehub

Affected ranges

Affected versions

3.*

3.6.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "crazehub/__init__.py",
            "sha256": "383edf77190ff6a1b46db7315cfac52240df4ee71319dff65d64395a8570d650",
            "tlsh": "c82111109f221ad8d7d8080f7e4a91b1e729dcfdef0a55615488c3d94c6ab2de923e63"
        },
        {
            "path": "setup.py",
            "sha256": "c8f21720003d2972bfd32bc047f451c278332e5abdea950e4c22abce8acf1fe4",
            "tlsh": "f201647b18ca22b57ac10067991e1819483088330e8878d97cfd460e8feef3e497443c"
        }
    ],
    "package_integrity": [
        {
            "filename": "crazehub-3.6.0.tar.gz",
            "hashes": {
                "md5": "ae3b725e6752ebfa81985103357fd6db",
                "blake2b_256": "351275fd368a9bb8f1191f26f4a6ed26ea11134fa5c073694b5b809fd1ab8614",
                "sha256": "91b0ad930e1989b2711a5257bc6e53f3eb7609f1a9ba9229bbbf30b157be44f4"
            }
        }
    ],
    "urls": [
        "https://pastebin.com/raw/jkFG4kpy",
        "https://google.com"
    ],
    "domains": [
        "pastebin.com",
        "google.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crazehub/MAL-2026-3687.json"