MAL-2026-5519

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requests-toolbelt-plus/MAL-2026-5519.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5519

Published

2026-06-10T17:11:39Z

Modified

2026-06-10T19:31:29.311823518Z

Summary

Malicious code in requests-toolbelt-plus (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae)

The package impersonates the popular requests-toolbelt library but ships an empty requests_toolbelt_plus/__init__.py and places its real logic in setup.py. On pip install, setup.py checks /proc/version for WSL markers and, when matched, opens a TCP socket to the hardcoded IP 185.184.192.205 on port 4444, sends a JSON beacon containing os.getlogin(), os.uname().nodename, and os.getcwd(), then spawns a background thread that reads JSON commands from the socket and executes them via subprocess.run(cmd, shell=True, capture_output=True, text=True), returning stdout/stderr to the operator — full remote command execution against the installer's machine. setup.py also appends a Python one-liner to ~/.bashrc that re-opens the same socket, dup2s stdio onto it, and execs /bin/bash -i, giving the attacker a persistent interactive reverse shell that fires on every new login shell and survives package uninstall. The WSL-only gating is a deliberate evasion to stay dormant on non-WSL maintainer machines and execute only on targeted Windows-Subsystem-for-Linux developer hosts.

Source: kam193 (bd626be82a68d95788077b8b3c87a960c87d971e55496791cedf85154d99087f)

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "pypi/GENERIC-standard-pypi-install-pentest/requests-toolbelt-plus",
            "versions": [
                "99.9.9",
                "99.9.10",
                "100.0.0",
                "2026.6.10.172624"
            ],
            "sha256": "bd626be82a68d95788077b8b3c87a960c87d971e55496791cedf85154d99087f",
            "source": "kam193",
            "modified_time": "2026-06-10T17:11:39.385096Z",
            "import_time": "2026-06-10T18:03:22.536305364Z"
        },
        {
            "id": "IN-MAL-2026-005283",
            "import_time": "2026-06-10T19:23:47.877638703Z",
            "sha256": "38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:26:49Z",
            "versions": [
                "99.9.9"
            ]
        },
        {
            "id": "IN-MAL-2026-005294",
            "import_time": "2026-06-10T19:23:48.738470163Z",
            "sha256": "477b55b0e81d5897d1d7252951b472225226bbca8a8d13a70e31cab1e9d13c26",
            "source": "amazon-inspector",
            "modified_time": "2026-06-10T18:41:57Z",
            "versions": [
                "100.0.0"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / requests-toolbelt-plus

Package

Name: requests-toolbelt-plus; View open source insights on deps.dev
Purl: pkg:pypi/requests-toolbelt-plus

Affected ranges

Affected versions

99.*

99.9.9

99.9.10

100.*

100.0.0

2026.*

2026.6.10.172624

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "setup.py",
            "sha256": "9b86e3072f1ac94de464250b62d35bd74eca80f444a283fbc3f5db6c066c6a6e",
            "tlsh": "404142c1dcb90120e3b3909918259062a7677d033b46d8787abd87b06f8a079a0b95b9"
        },
        {
            "path": "PKG-INFO",
            "sha256": "a0122930824287222cc11b4598fec403993fe98807725564777d6cea63985118",
            "tlsh": "ced0a79b33862131f4c38089059c465790f9d10171ca2066c4c60ee962cf2489245438"
        }
    ],
    "package_integrity": [
        {
            "filename": "requests_toolbelt_plus-99.9.9-py3-none-any.whl",
            "hashes": {
                "md5": "e98fa689bf5c5701b9a075fae46f9564",
                "blake2b_256": "62b1be1c6a672ebde0f1e5f07834bee2ec69282e165e2b329d60e24949ab49f1",
                "sha256": "7fe6c3efb7b642c75cb23bdc84b4978c5c3d48896e38ad67c5c516561aabe10f"
            }
        },
        {
            "filename": "requests_toolbelt_plus-99.9.9.tar.gz",
            "hashes": {
                "md5": "889faf0acbe8ae286dfc6178353fedb7",
                "blake2b_256": "abed5c121232e9ab398165d373644d77de1ce266487ba199b69ae525eaf569c0",
                "sha256": "1134df5e03681ef11254b3370b1e054d7c2e8db4dd52c5aa59ec02a1d15219e0"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requests-toolbelt-plus/MAL-2026-5519.json"