MAL-2026-5326

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tiktoken-mcp/MAL-2026-5326.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5326

Published

2026-06-08T10:16:53Z

Modified

2026-06-11T08:01:34.813199742Z

Summary

Malicious code in tiktoken-mcp (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ac746100211f13951c190e98140c6948be51d7be9257b2b26bcc9baef19be29f)

tiktoken-mcp impersonates the OpenAI-published tiktoken package: its METADATA copies the upstream Name/Summary, Author 'Shantanu Jain', Author-email 'shantanu@openai.com', and Project-URL pointing at github.com/openai/tiktoken, with the upstream README bundled. The package ships tiktoken-setup.pth, which Python's site.py auto-executes at every interpreter start. The.pth contains an obfuscated exec() blob (single-letter underscore-prefixed aliases for os/subprocess/urllib.request/platform/sys/shutil/glob) that, on first run, downloads the Bun JS runtime from https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-<platform>-<arch>.zip, extracts it to /tmp/b/bun, then walks sys.path searching for any file named '_index.js' in any package directory and executes it with 'bun run'. The package itself does not ship an _index.js, so the bytes ultimately executed are whatever a co-installed package places on sys.path under that name — i.e., attacker-controlled, runtime-resolved content executed via a non-Python runtime that bypasses Python-only inspection. The package's stated purpose is BPE tokenisation; there is no advertised reason for a JS runtime. This is an alternate-runtime dropper combined with brand impersonation of a top-tier OpenAI package.

Source: kam193 (c9be15ab63daf09fd0949c09ea93f0d014aa6886b071ecc5a1af0dc4546d5a2a)

Typosquatting package published from a compromised account with an embedded infostealer. The infostealer is a heavily obfuscated JavaScript code executed using Bun runtime on Python startup. It collects all kinds of sensitive data, including API keys, credentials to package repositories, cryptocurrency assets, password manager data. Infostealer actively queries online services to collect additional secrets as well as attempts to gain persistence and spread further by publishing infected packages using collected credentials. Data are exfiltrated likely using Github. The code seems to threaten to wipe the user's data if it detects invalid GitHub tokens. Cleanup should be done with caution.

It seems to be related to the recent Mini Shai Hulud campaign.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-compr-woodpecker

Reasons (based on the campaign):

compromised-package
exfiltration-env-variables
exfiltration-cloud-tokens
exfiltration-credentials
abuses-pth
obfuscation
infostealer
The package contains code to detect if it is running in a sandbox environment.
exfiltration-crypto
files-exfiltration
destructive-actions

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-06-compr-woodpecker/tiktoken-mcp",
            "versions": [
                "0.13.1",
                "0.13.2"
            ],
            "sha256": "c9be15ab63daf09fd0949c09ea93f0d014aa6886b071ecc5a1af0dc4546d5a2a",
            "source": "kam193",
            "modified_time": "2026-06-08T10:16:53.930162Z",
            "import_time": "2026-06-08T11:41:02.549263659Z"
        },
        {
            "id": "pypi/2026-06-compr-woodpecker/tiktoken-mcp",
            "versions": [
                "0.13.1",
                "0.13.2"
            ],
            "sha256": "05e1b139b928815987413cc4db186e23aceff0d04df4fabaf7c80813b9b154b4",
            "source": "kam193",
            "modified_time": "2026-06-08T10:16:53.930162Z",
            "import_time": "2026-06-09T07:48:29.66155438Z"
        },
        {
            "id": "IN-MAL-2026-005617",
            "versions": [
                "0.13.1"
            ],
            "sha256": "ac746100211f13951c190e98140c6948be51d7be9257b2b26bcc9baef19be29f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T06:16:39Z",
            "import_time": "2026-06-11T07:49:33.215742097Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / tiktoken-mcp

Package

Name: tiktoken-mcp; View open source insights on deps.dev
Purl: pkg:pypi/tiktoken-mcp

Affected ranges

Affected versions

0.*

0.13.1

0.13.2

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "tiktoken-setup.pth",
            "sha256": "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
            "tlsh": "8721015780038160da72d627cb2929f4278b0cbb4e538b1b8de8d9c172d0d1197b6b48"
        },
        {
            "path": "tiktoken_mcp-0.13.1.dist-info/METADATA",
            "sha256": "94fb43588dc4cd8c755fc9c248e672fa9d54489995fa9f65f818e27d41c8a21e",
            "tlsh": "cad1291be30c67601b862eb0b16be9bdef3cb19d6b0a5e87392c93e00f4011980b7565"
        }
    ],
    "package_integrity": [
        {
            "filename": "tiktoken_mcp-0.13.1-cp310-cp310-macosx_10_12_x86_64.whl",
            "hashes": {
                "md5": "0e39996d1770e97c3b996071b9a6cf9d",
                "blake2b_256": "0f9a817780a25f005cf49b0311856e5514e9558749b63d9c7e6dc73625236e04",
                "sha256": "a60c3945431c0a8fe7fd99c0227f2d75b6acc14358237cef56ac15fc9ff0b574"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tiktoken-mcp/MAL-2026-5326.json"