MAL-2026-5725
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dash-grid-normalizer/MAL-2026-5725.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5725
- Published
- 2026-06-13T01:03:41Z
- Modified
- 2026-06-13T02:31:43.512601318Z
- Summary
- Malicious code in dash-grid-normalizer (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (362011eafffa765e7f6c24df4ec2c7bb8f9fb6b6414570a5d193e6ea90e1250a)
On import, src/dashgridnormalizer/init.py calls hydrateremotelayoutprofile(), which reassembles a payload from four string segments, base64-decodes and zlib-decompresses it, and passes the result to builtins.exec(). The decoded Python source imports os/socket/subprocess, connects a TCP socket to 43.69.137.236:80, dup2's stdin/stdout/stderr onto the socket, and execs /bin/sh — a standard reverse shell granting the operator of that IP interactive command execution as the installer's user. The C2 IP literal is itself further obfuscated as bytes([52,51,46,...]). The package's pyproject description ("Responsive grid and gutter helpers for dashboard widget layouts") and name are cover; the README self-identifies the project as a pentest probe with the reverse shell "LIVE CONFIRMED". Any process that does
import dash_grid_normalizer(including transitive imports during test or build) opens the shell.Source: kam193 (b27c5f3eaf2e7f704830efee579b0a413695540736da93bc3219bfda4afecc79)
During import, the package starts a reverse shell.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-acme-widget-layout-utils
Reasons (based on the campaign):
- The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
- Database specific
{ "iocs": { "ips": [ "34.69.137.236" ] }, "malicious-packages-origins": [ { "id": "IN-MAL-2026-006265", "import_time": "2026-06-13T02:23:22.435836615Z", "sha256": "33e2cf264a51ab03d244b5226d2ebdced0eaa0c09c462291f9bbdd75410152f1", "source": "amazon-inspector", "modified_time": "2026-06-13T01:25:12Z", "versions": [ "0.0.2" ] }, { "id": "IN-MAL-2026-006267", "import_time": "2026-06-13T02:23:22.669477096Z", "sha256": "362011eafffa765e7f6c24df4ec2c7bb8f9fb6b6414570a5d193e6ea90e1250a", "source": "amazon-inspector", "modified_time": "2026-06-13T01:25:17Z", "versions": [ "0.0.1" ] }, { "id": "IN-MAL-2026-006268", "versions": [ "0.0.1" ], "sha256": "56fb3ee9db44cb577a1f92a596d4da7dce1fba88cc4d710c4f920bc364f3004f", "source": "amazon-inspector", "modified_time": "2026-06-13T01:25:17Z", "import_time": "2026-06-13T02:23:22.774725831Z" }, { "id": "IN-MAL-2026-006270", "versions": [ "0.0.5" ], "sha256": "c4a2ff66920eded5c1f2382ac0edb486e56ee0ce9a9ecc019a4e3dc74a6d3f55", "source": "amazon-inspector", "modified_time": "2026-06-13T01:25:19Z", "import_time": "2026-06-13T02:23:23.000654355Z" }, { "id": "IN-MAL-2026-006266", "versions": [ "0.0.2" ], "sha256": "f1367e40c183e27f5273b136155f08a27f5f8c90991560d24c4ef4d44f14d3a2", "source": "amazon-inspector", "modified_time": "2026-06-13T01:25:14Z", "import_time": "2026-06-13T02:23:22.582878612Z" }, { "id": "IN-MAL-2026-006269", "versions": [ "0.0.5" ], "sha256": "faf62dd8a16c6f5112e302a14e484cd3261532d2c1c6cc1cf53c73eee4f9e6ad", "source": "amazon-inspector", "modified_time": "2026-06-13T01:25:19Z", "import_time": "2026-06-13T02:23:22.900588122Z" }, { "id": "pypi/2026-06-acme-widget-layout-utils/dash-grid-normalizer", "versions": [ "0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5" ], "sha256": "b27c5f3eaf2e7f704830efee579b0a413695540736da93bc3219bfda4afecc79", "source": "kam193", "modified_time": "2026-06-13T01:03:43.580551Z", "import_time": "2026-06-13T02:23:25.583981987Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / dash-grid-normalizer
Package
- Name
- dash-grid-normalizer
- View open source insights on deps.dev
- Purl
- pkg:pypi/dash-grid-normalizer
Database specific
indicators
{
"evidence_files": [
{
"path": "dash_grid_normalizer/__init__.py",
"sha256": "c5eda0598aafe1afd00a38cac2b8d2381c9dfb1a3145ac49fa3b0f3484fdb71b",
"tlsh": "5b2105c6e9399516a727e222a4c39d13774d5947568c28f13f7e42246f130b985b1cdc"
},
{
"path": "dash_grid_normalizer-0.0.2.dist-info/METADATA",
"sha256": "7dbeb712d3b98a8c4e223577ec3044f91294913d73027c197c13a81846c92ac9",
"tlsh": "3c81a8558cb215e225e3c553b5f27690efb2c66360c57c38eca84f586e981d8623f32e"
}
],
"package_integrity": [
{
"filename": "dash_grid_normalizer-0.0.5-py3-none-any.whl",
"hashes": {
"md5": "ceb58abdad111e1cecd53aeb74937395",
"blake2b_256": "bb9745d86ee8477c3d85053d1fcb8e218909baa4b4d3507943d8157c7b072e67",
"sha256": "aafdb8d2dc08adfbf7acaaec0b0d26fe2b031c8b6c2e36dc08342ca1ee28edb0"
}
},
{
"filename": "dash_grid_normalizer-0.0.5.tar.gz",
"hashes": {
"md5": "0c9ea518670afdb11e9f5b5654e5d4d6",
"blake2b_256": "df6319c10d492eb55f24fe531c14bcd471bba54dd600ab0843578f895db4be56",
"sha256": "737debcd0ce92b13b2a9251506b097d49e9bd2784bc440bf93266e53a94b28fa"
}
}
],
"ips": [
"43.69.137.236"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dash-grid-normalizer/MAL-2026-5725.json"
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]