MAL-2026-4291
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pylogkt/MAL-2026-4291.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4291
- Published
- 2026-05-25T01:25:10Z
- Modified
- 2026-05-26T06:03:13.385039623Z
- Summary
- Malicious code in pylogkt (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (aa1c9e5bf0ffd994f076a4a76395b5bcccd2716229439910912bd49aaf52f903)
The package masquerades as a logging utility but every call to its logging API (log.info/debug/etc) triggers Logger.log, which on macOS hosts (paths starting with /Users or /Library) silently spawns a detached subprocess running pylogkt/check.py. That script self-deletes from disk (os.remove(file)), then enters an infinite 60-second polling loop against https://pypkg.dev/project/pylogkt/json with TLS verification disabled (ssl.createunverifiedcontext()). The first POST exfiltrates the absolute install path (basedir.encode()), revealing the victim's username and site-packages layout. Subsequent responses are base64-decoded and passed to os.system via
pip show <data>; the shell-escape filter allows;,|,&,(,), and>, making arbitrary command injection trivial. The C2 host pypkg.dev typosquats pypi.org and uses a /project/<pkg>/json path that mimics PyPI's real JSON API to camouflage the traffic. This is a full-fidelity backdoor: persistent C2, self-evidence-deletion, disabled TLS, and remote command execution on the installer's machine.Source: kam193 (90888c84173734fb54c893b2634d4d96c6fca8a04e0cbde4ca8e39ec1878b1bc)
Package silently executes remote code during import.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-05-lognest
Reasons (based on the campaign):
- Downloads and executes a remote malicious script.
- Database specific
{ "iocs": { "domains": [ "pypkg.dev" ], "urls": [ "https://pypkg.dev/project/logger/json" ] }, "malicious-packages-origins": [ { "id": "pypi/2026-05-lognest/pylogkt", "versions": [ "0.1.2" ], "source": "kam193", "modified_time": "2026-05-25T03:28:41.116176Z", "sha256": "90888c84173734fb54c893b2634d4d96c6fca8a04e0cbde4ca8e39ec1878b1bc", "import_time": "2026-05-25T05:03:48.345118229Z" }, { "source": "kam193", "versions": [ "0.1.2" ], "sha256": "a477e4b644651b855ab6d0568792cc1ce87910245e26752df47377ac9f4ebb86", "modified_time": "2026-05-25T03:28:41.116176Z", "id": "pypi/2026-05-lognest/pylogkt", "import_time": "2026-05-25T10:37:43.683100678Z" }, { "id": "IN-MAL-2026-004564", "import_time": "2026-05-26T05:52:51.015365646Z", "versions": [ "0.1.2" ], "modified_time": "2026-05-25T01:25:10Z", "source": "amazon-inspector", "sha256": "aa1c9e5bf0ffd994f076a4a76395b5bcccd2716229439910912bd49aaf52f903" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil Mańkowski (kam193) - ANALYST
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / pylogkt
Package
- Name
- pylogkt
- View open source insights on deps.dev
- Purl
- pkg:pypi/pylogkt
Database specific
indicators
{
"package_integrity": [
{
"filename": "pylogkt-0.1.2-py3-none-any.whl",
"hashes": {
"md5": "5a38c151a4662f978da960003e5d9e92",
"sha256": "b13fc08f7531ee52649f84d886885593060febbab2b3e7e5312175c64fbf8ec3",
"blake2b_256": "7aebfcac2f1d513c0875828fb72324b3a7b46909870c65f9fdcb194788343261"
}
},
{
"filename": "pylogkt-0.1.2.tar.gz",
"hashes": {
"md5": "30df2fe937feb3b1ef1d4851e96d15b9",
"sha256": "26f708bea0958cf20e27d86c14d0149db96f5863f8368bd30266c218e072b5b7",
"blake2b_256": "a666696c6fde7dcdf29c8c41312408136eec8cf19e362c39a0b424d80c05b24d"
}
}
],
"evidence_files": [
{
"sha256": "51e8d7b1631d7e4a805956a0dccbbf3e04b3f2e3b8ea2a5b4de2e73723185b9e",
"tlsh": "9e315366a91c00a9d383889bd820e5601737fc0f6a01ca74fadcd3a05fc957782f3a89",
"path": "pylogkt/_check.py"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pylogkt/MAL-2026-4291.json"
cwes
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]