MAL-2026-5532
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/icinga/MAL-2026-5532.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5532
- Published
- 2026-06-10T22:38:06Z
- Modified
- 2026-06-11T00:16:29.508295731Z
- Summary
- Malicious code in icinga (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d)
PyPI package 'icinga' at version 99.1.0 is a dependency-confusion / typosquat lure against the Icinga monitoring project. It ships no real functionality (generic description 'Operational package utility', placeholder author 'Dev') and exists only to run an install-time beacon. setup.py defines a CustomInstall command that, after install.run(self), collects host identifiers (COMPUTERNAME / uname nodename, current working directory, OS info, and the internal IP obtained via a UDP socket trick to 8.8.8.8) and POSTs them as JSON, tagged 'pypi-tg' / 'icinga', to a base64-encoded URL (aHR0cHM6Ly9weXRob24tbG9nLmxhcHhhMzU0LndvcmtlcnMuZGV2Lw== → https://python-log.lapxa354.workers.dev/) decoded at runtime via base64.b64decode and dispatched with urllib.request.urlopen. Exceptions are suppressed to keep the install silent. The implausibly high version number (99.1.0) is a classic dependency-confusion technique to outrank legitimate internal mirrors of an 'icinga' name. Installer impact: any machine running
pip install icinga(CI runner, developer workstation, internal build host) leaks its hostname, internal IP, working directory, and OS to the attacker — confirming the typosquat lands and seeding follow-up targeted attacks.Source: kam193 (d9cccf2af56889eebe443b4e56066615f2524f1359a6dc8d7c3757edad319294)
Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: GENERIC-standard-pypi-install-pentest
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
- Database specific
{ "malicious-packages-origins": [ { "id": "pypi/GENERIC-standard-pypi-install-pentest/icinga", "import_time": "2026-06-10T23:05:20.293091847Z", "sha256": "d9cccf2af56889eebe443b4e56066615f2524f1359a6dc8d7c3757edad319294", "source": "kam193", "modified_time": "2026-06-10T22:38:06.714183Z", "versions": [ "99.1.0", "99.2.0" ] }, { "id": "IN-MAL-2026-005311", "import_time": "2026-06-11T00:00:57.405525663Z", "sha256": "fabb684e6e03a2dbe24fdaf0e0ad5ef0f7713de8b90336c8a32acdd338239f3b", "source": "amazon-inspector", "modified_time": "2026-06-10T23:33:17Z", "versions": [ "99.2.0" ] }, { "id": "IN-MAL-2026-005314", "versions": [ "99.1.0" ], "sha256": "fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d", "source": "amazon-inspector", "modified_time": "2026-06-10T23:33:32Z", "import_time": "2026-06-11T00:00:57.719247967Z" }, { "id": "IN-MAL-2026-005315", "versions": [ "99.1.0" ], "sha256": "7c34cfe5b70b2aa01e8acb95ead7bd3d3fb21d34a5c970d93b9410f3c295ff1d", "source": "amazon-inspector", "modified_time": "2026-06-10T23:33:32Z", "import_time": "2026-06-11T00:00:57.815478929Z" }, { "id": "IN-MAL-2026-005310", "import_time": "2026-06-11T00:00:57.157211643Z", "sha256": "b55d1127d185fdb502e307fc56184adc01866e7f88d26e1eb8a1717d87bb1193", "source": "amazon-inspector", "modified_time": "2026-06-10T23:33:17Z", "versions": [ "99.2.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / icinga
Package
- Name
- icinga
- View open source insights on deps.dev
- Purl
- pkg:pypi/icinga
Database specific
indicators
{
"evidence_files": [
{
"path": "setup.py",
"sha256": "2d80c9da7fedc7704680228b6d5077846a0d8c0ef3254d4b1c5042aa68d76457",
"tlsh": "0b312087dc3a1831b8b5836888134915f732760b1b03d86b7dfc27786f76424e822bb9"
}
],
"package_integrity": [
{
"filename": "icinga-99.1.0-py3-none-any.whl",
"hashes": {
"md5": "c88b47f1bfd100cfb45a11dd047d3dbe",
"blake2b_256": "185cd17d82182f6fcfcaa39fa4aac3c353b42bd77f04853c7a0d5f895e69797e",
"sha256": "70ece41eeea5f609636c38c885de53063bde7e461546a404715b16a83d940231"
}
},
{
"filename": "icinga-99.1.0.tar.gz",
"hashes": {
"md5": "ba0cb0d0c1a7f2dfee0d3dfd437ec1f0",
"blake2b_256": "7a1eace24a9200bdfb829a13e4aa92002b91b767376987e479c77e7018f5d971",
"sha256": "07a5f39b0d3f0373fa74a9ec27af0ee32f5ad435c3a9eadc0c35d5ff8c1244dc"
}
}
],
"domains": [
"python-log.lapxa354.workers.dev"
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/icinga/MAL-2026-5532.json"