MAL-2026-3778
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/natazx/MAL-2026-3778.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3778
- Published
- 2026-05-14T19:24:33Z
- Modified
- 2026-05-15T07:52:29.239149Z
- Summary
- Malicious code in natazx (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (d0514a0df660dfc4e7380f68e8533fa325ccc246ba21855975f73d3af78cd9f0)
On
import natazx, the package's top-level code executes several installer-hostile actions without consent: (1) it unconditionally overwrites the host's DNS configuration at/etc/resolv.conf(and the Termux equivalent) to point at 1.1.1.1/1.0.0.1 with aggressive timeouts — a system-wide change affecting every process on the host; (2) it runspkill -9 torand spawns a detached Tor daemon viastart_new_session=Trueusing a torrc written to/tmp/torrc, establishing a process that outlives the Python interpreter; (3) it shells out topip installfor five unpinned packages (colorama, requests, pycryptodome, urllib3, cfonts) bypassing declared dependencies (dependencies = []in pyproject.toml), so the installer's environment is silently mutated with whatever the current PyPI releases are; (4) it fetches a JSON allowlist from a mutable GitHub main-branch ref (raw.githubusercontent.com/septianhdnatta/idd/refs/heads/main/device.json), builds a device fingerprint from serial number, build.prop, platform, uid, and timezone, andsys.exit(1)s if the installer's fingerprint is not on the author's list. The package's advertised function (main()) is a ToS-violating mass account-registration tool against Garena / Free Fire endpoints (100067.connect.garena.com,loginbp.ggblueshark.com,loginbp.common.ggbluefox.com) using hardcoded HMAC and AES-CBC keys, routed through 40 embedded HTTP proxy credentials on ten rotating IPs. The combination of import-time system-file destruction (resolv.conf overwrite), persistence (detached Tor daemon), silent environment mutation (unpinned pip installs), remote kill-switch (device-fingerprint allowlist on a mutable GitHub ref), and abuse-tool payload makes this package hostile to any environment in which it is installed. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-002630", "import_time": "2026-05-15T07:37:15.035779786Z", "sha256": "d0514a0df660dfc4e7380f68e8533fa325ccc246ba21855975f73d3af78cd9f0", "modified_time": "2026-05-14T19:24:33Z", "source": "amazon-inspector", "versions": [ "0.1.2" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
PyPI / natazx
Package
- Name
- natazx
- View open source insights on deps.dev
- Purl
- pkg:pypi/natazx
Database specific
indicators
{
"package_integrity": [
{
"filename": "natazx-0.1.2-py3-none-any.whl",
"hashes": {
"md5": "1425e448a0fdc7a6866b8c4175e18fe2",
"sha256": "c241cfd016e236183ec968782ab2a710651ee587373592597f1e4a87cd29d995",
"blake2b_256": "d7b1e6e17a3e2319e1302efc4e78bc90ef908434cbcf850e97ebb3c57ef05e63"
}
},
{
"filename": "natazx-0.1.2.tar.gz",
"hashes": {
"md5": "eab93f2ef56718e39be0ff4d693f3625",
"sha256": "7d4b5c4e9d46a7ce4018bb2c54c936192b87b5af5dbae411a051c73bfd4c90c0",
"blake2b_256": "2f620479b9e9a4ed01d1abcd22adeae6660e7d95fddf1457da595c1b7c15f4ba"
}
}
],
"evidence_files": [
{
"sha256": "c9d80de7df402bbb38da56b6084847371d0602bad25306035e48c802827291e5",
"tlsh": "0813c595681018a1d702cc2d4cb6ad61332a380bd5456a68ffdc96e82fbc236de717bd",
"path": "src/natazx/natazx.py"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/natazx/MAL-2026-3778.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]