MAL-2026-5679

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pylogxo/MAL-2026-5679.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5679
Published
2026-06-11T21:23:33Z
Modified
2026-06-12T20:02:01.483043943Z
Summary
Malicious code in pylogxo (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bbeee018f429f5a978b85aa3999c8e24251a85dc787b1e4fd673abcabf157800)

On import pylogx, the package spawns a background thread that sleeps 5-20 seconds, force-installs sensitive third-party packages (cryptography, pycryptodomex, secretstorage, opencv-python, pillow, psutil) via pip, then fetches a base64-encoded blob from http://69.164.245.166/payload.txt over plaintext HTTP and passes the decoded bytes to exec() with a synthetic __name__ = "__payload__". The destination is a bare IP with no TLS, no pinning, and no signature verification, so any code the operator of that host serves runs in the importing process. The pre-installed dependency set (secretstorage + cryptography) is consistent with a follow-on credential / keyring harvester. The package is also distributed under the name pylogxo while installing the import name pylogx — a near-edit of legitimate logging library names — and ships placeholder metadata (empty README, https://github.com/example/pylogx, support@pylogx.example) and references submodules (formatter, handlers) that do not exist in the tarball, so the module will ImportError only after the dropper thread has already fired. There is no legitimate reason for a logging utility to fetch and execute remote code at import time.

Source: kam193 (7ccb3e3a1ccde821415d6be9c25d123cc1ebedea4ca6dd40d77fc24e01cd0aaa)

During import, the package downloads and executes remote code being an infostealer.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-pylogxo

Reasons (based on the campaign):

  • Downloads and executes a remote malicious script.

  • infostealer

  • The package contains code to detect if it is running in a sandbox environment.

  • exfiltration-credentials

  • exfiltration-browser-data

  • files-exfiltration

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.3",
                "1.0.4"
            ],
            "sha256": "7ccb3e3a1ccde821415d6be9c25d123cc1ebedea4ca6dd40d77fc24e01cd0aaa",
            "modified_time": "2026-06-11T21:23:33.791422Z",
            "source": "kam193",
            "import_time": "2026-06-11T22:13:52.448832018Z",
            "id": "pypi/2026-06-pylogxo/pylogxo"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "455e5b81bbb8135a6c89befe8fad406071a849d7a00f49206f4fbfe406f248e6",
            "modified_time": "2026-06-12T19:10:06Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006156",
            "import_time": "2026-06-12T19:44:14.386067724Z"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "sha256": "bbeee018f429f5a978b85aa3999c8e24251a85dc787b1e4fd673abcabf157800",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:10:08Z",
            "import_time": "2026-06-12T19:44:14.492231979Z",
            "id": "IN-MAL-2026-006157"
        }
    ],
    "iocs": {
        "ips": [
            "69.164.245.166"
        ],
        "urls": [
            "http://69.164.245.166/payload.txt"
        ]
    }
}
References
Credits

Affected packages

PyPI / pylogxo

Package

Affected ranges

Affected versions

1.*
1.0.3
1.0.4

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "pylogxo-1.0.3-py3-none-any.whl",
            "hashes": {
                "sha256": "7abdf7155f1ec78f5aeda99e53a8a2708ad353f34c353679b01f3b16559dc0b0",
                "md5": "2d1fd24f8ab10eb57f8aa1325fc52d5a",
                "blake2b_256": "1749d352ef3716e438589eb4982c8f47eda2364c1a75186ba80bbf1b6403d2c4"
            }
        },
        {
            "filename": "pylogxo-1.0.3.tar.gz",
            "hashes": {
                "sha256": "a391c408da110b43668b5de502827ea7333117250609faa04cb395dd215c27f5",
                "md5": "074aecd3535d1366472cb187100038e5",
                "blake2b_256": "1f9164861fcd7f098be7709b231030ac246972bdc0142c8e1711356557052a24"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "576416b87b73754823ef2b1db3326134d0a0fb626349dff2f68a50027a01b60f",
            "path": "pylogx/__init__.py",
            "tlsh": "fa41fe0ca53d5972805b9c945d91bb23f7aebdaf0f4565f03adce3580f8983080467e8"
        },
        {
            "sha256": "1c60a9a318dc48be8d62efb0dc71b3565e63d21c83f23ddbbbee61c2801c51f9",
            "path": "setup.py",
            "tlsh": "10115254c7c01db221a680491c4ba94aad306b073fa4fcc9779c420c2f6e2ff477a22d"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pylogxo/MAL-2026-5679.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]