MAL-2026-5754

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/salesforce-sysutils-diagnostics/MAL-2026-5754.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5754
Published
2026-06-13T21:38:10Z
Modified
2026-06-15T19:06:36.658201644Z
Summary
Malicious code in salesforce-sysutils-diagnostics (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (59e4ce1338f2439a1a5b2d257b96aadaef4a9c2883f6787343856728514bd148)

setup.py unconditionally invokes curl at install time to POST the contents of /tmp/fake-keys.json to https://webhook.site/20ed745d-ee73-4b79-ab06-5b106255c38c, an anonymous request-capture endpoint. stderr is redirected to DEVNULL to suppress install-time output. The package additionally impersonates the Salesforce brand (name 'salesforce-sysutils-diagnostics') with no Author or Home-page metadata in PKG-INFO, consistent with a brand-confusion lure. Any developer or build system that runs pip install salesforce-sysutils-diagnostics will trigger an outbound POST to the attacker-controlled webhook on every install.

Source: kam193 (df69f7ee7e4cb191b719367d5d707c8c244f50c35d1af182e5b9cec73dd1937c)

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.


Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

  • The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

  • The package overrides the install command in setup.py to execute malicious code during installation.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "df69f7ee7e4cb191b719367d5d707c8c244f50c35d1af182e5b9cec73dd1937c",
            "id": "pypi/GENERIC-standard-pypi-install-pentest/salesforce-sysutils-diagnostics",
            "source": "kam193",
            "import_time": "2026-06-13T22:27:38.933874743Z",
            "modified_time": "2026-06-13T21:38:10.05027Z",
            "versions": [
                "0.1.0"
            ]
        },
        {
            "sha256": "59e4ce1338f2439a1a5b2d257b96aadaef4a9c2883f6787343856728514bd148",
            "id": "IN-MAL-2026-006660",
            "source": "amazon-inspector",
            "import_time": "2026-06-15T18:54:56.562573747Z",
            "modified_time": "2026-06-15T18:48:13Z",
            "versions": [
                "0.1.0"
            ]
        },
        {
            "sha256": "f7c37a22e941d37810aecad4c26a58e003977e4ca1715d733c99b1d7863debcf",
            "id": "IN-MAL-2026-006661",
            "source": "amazon-inspector",
            "import_time": "2026-06-15T18:54:56.591468303Z",
            "modified_time": "2026-06-15T18:48:13Z",
            "versions": [
                "0.1.0"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / salesforce-sysutils-diagnostics

Package

Name
salesforce-sysutils-diagnostics
View open source insights on deps.dev
Purl
pkg:pypi/salesforce-sysutils-diagnostics

Affected ranges

Affected versions

0.*
0.1.0

Database specific

indicators
{
    "ips": [
        "151.101.128.223",
        "151.101.0.223",
        "10.1.0.2",
        "151.101.64.223"
    ],
    "evidence_files": [
        {
            "path": "setup.py",
            "tlsh": "75e0e5b2cb1b5b611980a232688e544a5ff2c20bcb1679f5718946b41f8d228da35434",
            "sha256": "8b8452f6d7ac3bf9d4e6da918d4d682f1cb107c1e2adc60c3fd567122215718c"
        },
        {
            "path": "PKG-INFO",
            "tlsh": "1bc09b51a70145b71e11774755ad9fd1d1e7c30d126a11f6845b2775434726d8615030",
            "sha256": "6034320c5aa02598cd213e75f907b80809bce26c4e13c3cb286f4706fbc33664"
        }
    ],
    "package_integrity": [
        {
            "filename": "salesforce_sysutils_diagnostics-0.1.0-py3-none-any.whl",
            "hashes": {
                "md5": "491ef8f40f84f89e9e5ec33ab5f409bc",
                "blake2b_256": "9f7fcb22264f50f5885897d6e584ebf6b0bb5ccce854e7394581e9cf16d19617",
                "sha256": "6fd70875e4b0a4dbfe79e40da3c451bb93da8139e2454ff73e9ae82ad12ece2e"
            }
        },
        {
            "filename": "salesforce_sysutils_diagnostics-0.1.0.tar.gz",
            "hashes": {
                "md5": "ed4bff58ba168a6ca0b0c96db64daf6e",
                "blake2b_256": "1155c63b3bb3ea71a3abeb82d38b0a652abbdeabfb2f928a90459e185f783eca",
                "sha256": "e14225ba42a4385812ed37882da14650dfc72dd1b85170cd0f243319272f1c40"
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/salesforce-sysutils-diagnostics/MAL-2026-5754.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]