MAL-2026-5545

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/acme-widget-layout-utils/MAL-2026-5545.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5545

Published

2026-06-11T01:46:15Z

Modified

2026-06-11T08:01:34.000735632Z

Summary

Malicious code in acme-widget-layout-utils (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (42e53a38c2df70a3c6a2a24b2484840e6a163f2e1a9b91236a2aa7a9ec004600)

On first import, src/acmewidgetlayoututils/init.py (lines 13-17) opens a TCP socket to 34.69.137.236:80, duplicates stdin/stdout/stderr onto the socket via os.dup2, and execs /bin/sh -i — a textbook interactive reverse shell handing remote shell access to whoever controls 34.69.137.236. The behavior is unconditional and fires the moment any consumer runs import acme_widget_layout_utils. setup.py additionally installs a custom install command that writes /tmp/pypiinstallhookmarker.txt at install time, corroborating the package's role as a deliberately crafted attack artifact. The package name suggests benign UI/layout utilities and contains no such functionality; the pyproject.toml description openly self-identifies as a 'pentest C2 target', but the package is published on public PyPI under a generic name where any developer searching for widget/layout helpers can incidentally install and be backdoored. README's 'authorized pentest' framing does not change installer-side impact.

Source: kam193 (643a7c935e2bb063cea8baf36f13bca89572d1febbf0efdb05812ee09ddde4d8)

During import, the package starts a reverse shell.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005357",
            "import_time": "2026-06-11T02:24:27.554501614Z",
            "sha256": "42e53a38c2df70a3c6a2a24b2484840e6a163f2e1a9b91236a2aa7a9ec004600",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:46:15Z",
            "versions": [
                "0.0.3"
            ]
        },
        {
            "id": "pypi/2026-06-acme-widget-layout-utils/acme-widget-layout-utils",
            "versions": [
                "0.0.1",
                "0.0.2",
                "0.0.3"
            ],
            "sha256": "643a7c935e2bb063cea8baf36f13bca89572d1febbf0efdb05812ee09ddde4d8",
            "source": "kam193",
            "modified_time": "2026-06-11T05:40:39.931561Z",
            "import_time": "2026-06-11T07:49:46.172073804Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / acme-widget-layout-utils

Package

Name: acme-widget-layout-utils; View open source insights on deps.dev
Purl: pkg:pypi/acme-widget-layout-utils

Affected ranges

Affected versions

0.*

0.0.1

0.0.2

0.0.3

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "src/acme_widget_layout_utils/__init__.py",
            "sha256": "611dbc535af11a1b91d66630e0f56d6a7a7174e74f46907fb8291d738448738c",
            "tlsh": "c701cb8bcc2ad09a5f72a1918061c068de57a8031b3818b2bdec53146bf302561b4932"
        },
        {
            "path": "setup.py",
            "sha256": "4ed96d4110ec206f50864acb834b2f11808cb903df3b39a876a3ebcf8fe66eea",
            "tlsh": "7fe02646983f7070ad9383a488b346121c23c6605bf0e2a674fe1a715f931e6cc478c3"
        },
        {
            "path": "pyproject.toml",
            "sha256": "1ed303a16226ddc822f2fb6d1d148805a1c09eb5577cfaa92220f7588902097f",
            "tlsh": "31e06823cb775965eac164446051a167cdf2e8d92dc0d85c8acfc9983cee0e9c6f8929"
        }
    ],
    "package_integrity": [
        {
            "filename": "acme_widget_layout_utils-0.0.3-py3-none-any.whl",
            "hashes": {
                "md5": "f4295d1297c0cb74a638a3ad949d0817",
                "blake2b_256": "38246aec6a745e8f7660a345797c632829f16c2f5b9bf30ea6ba2a19f9b11b53",
                "sha256": "6ac0e78622500c826abe1209dc38b736dc0efdbdf350de726cf61dcb7da7834a"
            }
        },
        {
            "filename": "acme_widget_layout_utils-0.0.3.tar.gz",
            "hashes": {
                "md5": "5bd41cffddaf6808608d6875b0a9dc38",
                "blake2b_256": "a2a54dc0b1fd6fb75fd5d3f0d66ff1e64cfd2f20f72d07e275683859946b26d8",
                "sha256": "58cea9e8965d0148962288648322bebcd4ddf5576169269981612a9c729bd233"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/acme-widget-layout-utils/MAL-2026-5545.json"