MAL-2026-4814

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/vectordb-engine/MAL-2026-4814.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4814

Published

2026-05-26T13:08:58Z

Modified

2026-05-26T23:00:55.117222790Z

Summary

Malicious code in vectordb-engine (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (42695503b90ec4adc30c038c3321d637f05038f841bcc5f463a16b891fe4e3e0)

During pip install, a custom build_ext step in src/vectordb_engine_build.py runs an obfuscated payload that performs targeted reconnaissance and exfiltration. Before doing anything else, it SHA-256-hashes the lowercased machine hostname against an obfuscated salt and compares the digest against three hardcoded allowed-hash constants; if the hostname does not match, the process calls exit() — the canonical shape of a targeted supply-chain implant that lies dormant on non-victim machines. On matching hosts, the script collects hostname, FQDN, OS, architecture, Python version, and OS username, concatenates them with | separators, XOR-encrypts the blob with a hardcoded key, hex-encodes the result, and issues an HTTPS GET to https://vectordbengine.blob.core.windows.net/kernels/?v=<encoded-fingerprint>. A separate function reads environment variables whose names are concealed behind a base85+XOR+zlib decoder (_ORQFVrfoaIJyX4SjOvpEI) and folds the values into the same exfil pipeline, consistent with scraping CI/cloud secrets without leaving readable identifiers in the source. urllib3.disable_warnings() is invoked to suppress TLS warnings. The package metadata uses placeholder publisher identity (VectorDB Contributors, support@vectordb-engine.io) and constructs a cover-story URL https://releases.vectordb-engine.io/kernels that is built into a string but never actually requested — it exists only as a decoy alongside the real Azure blob exfil endpoint. Each of (hostname-allowlist gating with exit() fallback, obfuscated env-var-name scraper feeding a network exfil, host-fingerprint XOR-encoded into a query string against attacker-controlled storage, decoy-domain cover story with placeholder publisher metadata) is independently sufficient evidence of a targeted attack; their joint presence leaves no benign interpretation.

Source: kam193 (b1908db5bd2b5d1d4a5ab9238d71d6da0147994c2bb812e1ffb7e0e90626e2b4)

During installation, in the build step, the code performs machine fingerprinting and only in a highly targeted environment, downloads a likely-malicious shared library. The code seems to actually be incomplete.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-vectordb-engine

Reasons (based on the campaign):

Downloads and executes a remote executable.
targetted-attack
obfuscation

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T13:32:46.958207847Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "42695503b90ec4adc30c038c3321d637f05038f841bcc5f463a16b891fe4e3e0",
            "id": "IN-MAL-2026-004910",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T13:08:58Z"
        },
        {
            "modified_time": "2026-05-26T21:59:35.102583Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "b1908db5bd2b5d1d4a5ab9238d71d6da0147994c2bb812e1ffb7e0e90626e2b4",
            "id": "pypi/2026-05-vectordb-engine/vectordb-engine",
            "source": "kam193",
            "import_time": "2026-05-26T22:55:24.736846288Z"
        }
    ],
    "iocs": {
        "domains": [
            "vectordbengine.blob.core.windows.net"
        ]
    }
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / vectordb-engine

Package

Name: vectordb-engine; View open source insights on deps.dev
Purl: pkg:pypi/vectordb-engine

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "0a2aa6695bdd2be1a18c38cf3d938bb52d795f13739f736d9ba8f3dc7d9e6c70",
            "tlsh": "80c2b226dc5a682121b3d55e8ca6f063fb690743970e58257abc0314af321a5d3f1ebf",
            "path": "src/vectordb_engine_build.py"
        }
    ],
    "package_integrity": [
        {
            "filename": "vectordb_engine-1.0.0.tar.gz",
            "hashes": {
                "blake2b_256": "45516a6f9c2e7a3c5293e36bc659637b6bdaa9e38efe79a131b8f5178e52754d",
                "md5": "e6ec863ab98ad77d0c222b51932e32ea",
                "sha256": "883518dae64216fca4ecdcf8c16100aff193a54eea3b17bc8dbb6f38f8caeb5e"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/vectordb-engine/MAL-2026-4814.json"