-= Per source details. Do not edit below this line.=-
On import ultimate_ai_power, the package's top-level init.py collects the local username (getpass.getuser) and resolved host IP (socket.gethostbyname) and POSTs them to a hardcoded Telegram Bot API endpoint (bot token 8844473290:AAGY..., chatid 7095972030); a second beacon is sent via an atexit handler. The advertised AI functions (aipowerboost, neuralenhance, quantum_compute) are placeholders that return constant strings — the package has no real functionality beyond the exfiltration beacon. Metadata uses a placeholder author 'AI Innovation Labs' with a non-existent GitHub org. Cover-story messages in the beacon payload are written in Russian. Any installer who imports the package leaks identifying host/user information to the attacker.
Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: GENERIC-standard-pypi-install-pentest
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"sha256": "70f226090d6e1bc8acebdeff932907dda5bcf88c21b6c47d25360cd69a606f0d",
"source": "kam193",
"modified_time": "2026-06-09T16:53:29.551414Z",
"import_time": "2026-06-09T17:45:57.534521243Z",
"id": "pypi/GENERIC-standard-pypi-install-pentest/ultimate-ai-power"
},
{
"versions": [
"1.0.0"
],
"sha256": "90499eb8f54fcc67c067ef7d5397153b4abfc5bbca9d96e7deb291152f49ed3f",
"modified_time": "2026-06-11T13:06:25Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T13:27:20.84823521Z",
"id": "IN-MAL-2026-005735"
},
{
"versions": [
"1.0.0"
],
"sha256": "4ffa5cc89780d430fb5cea5c6c9916d5369443a431c74cc46beb1c7ebb23c763",
"modified_time": "2026-06-11T13:06:25Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005736",
"import_time": "2026-06-11T13:27:20.885338232Z"
}
]
}{
"package_integrity": [
{
"filename": "ultimate_ai_power-1.0.0-py3-none-any.whl",
"hashes": {
"sha256": "8a95c959d0c5b02efe5b9687060423cf78ff2a187f9b1c0e41b944d00f2fac41",
"md5": "b75ac81c854da96d55f42d021dd86edf",
"blake2b_256": "ca1cc178e8075001b0c0fd1dd0a5501373f9fca857fcd6420bfd148a9e1ab882"
}
},
{
"filename": "ultimate_ai_power-1.0.0.tar.gz",
"hashes": {
"sha256": "b7745bd67c11e211714b1254d6e4ae202e58f7ca6998e2701393c5b1e2786435",
"md5": "77954527f4cd32fbedaedf48fce2ad0d",
"blake2b_256": "3742802bbd4cb03862c91d437e69436840cc8d2b2cc27928cef2b003bea8b4d1"
}
}
],
"evidence_files": [
{
"sha256": "7224250450ce51f8fb00fdd1f136cd6b430c22745e4e582c83a313e692e386a7",
"path": "src/ultimate_ai_power/__init__.py",
"tlsh": "55513217ed1e1510a272816fa441e1ade92a621b2b496433f8ecc6719f75c32c2f57dc"
}
],
"domains": [
"api.telegram.org"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ultimate-ai-power/MAL-2026-5458.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]