-= Per source details. Do not edit below this line.=-
setup.py unconditionally invokes curl at install time to POST the contents of /tmp/fake-keys.json to https://webhook.site/20ed745d-ee73-4b79-ab06-5b106255c38c, an anonymous request-capture endpoint. stderr is redirected to DEVNULL to suppress install-time output. The package additionally impersonates the Salesforce brand (name 'salesforce-sysutils-diagnostics') with no Author or Home-page metadata in PKG-INFO, consistent with a brand-confusion lure. Any developer or build system that runs pip install salesforce-sysutils-diagnostics will trigger an outbound POST to the attacker-controlled webhook on every install.
Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: GENERIC-standard-pypi-install-pentest
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
{
"malicious-packages-origins": [
{
"sha256": "df69f7ee7e4cb191b719367d5d707c8c244f50c35d1af182e5b9cec73dd1937c",
"id": "pypi/GENERIC-standard-pypi-install-pentest/salesforce-sysutils-diagnostics",
"source": "kam193",
"import_time": "2026-06-13T22:27:38.933874743Z",
"modified_time": "2026-06-13T21:38:10.05027Z",
"versions": [
"0.1.0"
]
},
{
"sha256": "59e4ce1338f2439a1a5b2d257b96aadaef4a9c2883f6787343856728514bd148",
"id": "IN-MAL-2026-006660",
"source": "amazon-inspector",
"import_time": "2026-06-15T18:54:56.562573747Z",
"modified_time": "2026-06-15T18:48:13Z",
"versions": [
"0.1.0"
]
},
{
"sha256": "f7c37a22e941d37810aecad4c26a58e003977e4ca1715d733c99b1d7863debcf",
"id": "IN-MAL-2026-006661",
"source": "amazon-inspector",
"import_time": "2026-06-15T18:54:56.591468303Z",
"modified_time": "2026-06-15T18:48:13Z",
"versions": [
"0.1.0"
]
}
]
}{
"ips": [
"151.101.128.223",
"151.101.0.223",
"10.1.0.2",
"151.101.64.223"
],
"evidence_files": [
{
"path": "setup.py",
"tlsh": "75e0e5b2cb1b5b611980a232688e544a5ff2c20bcb1679f5718946b41f8d228da35434",
"sha256": "8b8452f6d7ac3bf9d4e6da918d4d682f1cb107c1e2adc60c3fd567122215718c"
},
{
"path": "PKG-INFO",
"tlsh": "1bc09b51a70145b71e11774755ad9fd1d1e7c30d126a11f6845b2775434726d8615030",
"sha256": "6034320c5aa02598cd213e75f907b80809bce26c4e13c3cb286f4706fbc33664"
}
],
"package_integrity": [
{
"filename": "salesforce_sysutils_diagnostics-0.1.0-py3-none-any.whl",
"hashes": {
"md5": "491ef8f40f84f89e9e5ec33ab5f409bc",
"blake2b_256": "9f7fcb22264f50f5885897d6e584ebf6b0bb5ccce854e7394581e9cf16d19617",
"sha256": "6fd70875e4b0a4dbfe79e40da3c451bb93da8139e2454ff73e9ae82ad12ece2e"
}
},
{
"filename": "salesforce_sysutils_diagnostics-0.1.0.tar.gz",
"hashes": {
"md5": "ed4bff58ba168a6ca0b0c96db64daf6e",
"blake2b_256": "1155c63b3bb3ea71a3abeb82d38b0a652abbdeabfb2f928a90459e185f783eca",
"sha256": "e14225ba42a4385812ed37882da14650dfc72dd1b85170cd0f243319272f1c40"
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/salesforce-sysutils-diagnostics/MAL-2026-5754.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]