-= Per source details. Do not edit below this line.=-
During pip install, setup.py performs an unauthenticated HTTP fetch of https://pastebin.com/raw/yBcUM1QB, takes the first line of the response, and passes it directly to os.system(f'cmd /c "{cmd_pastebin}"'). The remote content is hosted on an anonymous, mutable, attacker-controlled paste with no pinning, no hash check, and no signature verification. Whoever controls the paste obtains arbitrary command execution on every installer's machine at install time. This is a canonical install-time dropper pattern: lifecycle-time outbound fetch from an unverified source piped straight into the OS shell.
During installation, the code attempts to download and start a malicious executable.
Likely related to 2025-08-raknet-testing-package.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-easyaillm
Reasons (based on the campaign):
Downloads and executes a remote executable.
obfuscation
malware
tool:mshta
{
"malicious-packages-origins": [
{
"sha256": "b7ac8db348471011dee14fad41b2d0a487f08463c10c678625fe8184e8088e0a",
"id": "pypi/2026-06-easyaillm/easyllmai",
"import_time": "2026-06-14T09:11:41.992734607Z",
"modified_time": "2026-06-14T07:51:34.671511Z",
"versions": [
"2.1",
"2.21"
],
"source": "kam193"
},
{
"sha256": "e20bbc5f03184dd5e7f4b4ea3a6b937c84194ce0ef0bf851d761b02a9614bc06",
"id": "IN-MAL-2026-006663",
"import_time": "2026-06-15T18:54:56.672873414Z",
"modified_time": "2026-06-15T18:48:33Z",
"versions": [
"2.21"
],
"source": "amazon-inspector"
},
{
"versions": [
"2.21"
],
"id": "IN-MAL-2026-006662",
"modified_time": "2026-06-15T18:48:32Z",
"sha256": "4589bbb71e0bb3589a162bf2102bba5e8bf7124d3988235647d1e3c1d01821d0",
"import_time": "2026-06-15T18:54:56.64404926Z",
"source": "amazon-inspector"
},
{
"versions": [
"2.1",
"2.21"
],
"id": "pypi/2026-06-easyaillm/easyllmai",
"modified_time": "2026-06-14T07:51:34.671511Z",
"import_time": "2026-06-15T22:45:32.256456563Z",
"sha256": "981f5ad88772daa291287d5e6901fc9575d51ee790bc337e79fae1352a0b3458",
"source": "kam193"
},
{
"versions": [
"2.1",
"2.21"
],
"id": "pypi/2026-06-easyaillm/easyllmai",
"modified_time": "2026-06-14T07:51:34.671511Z",
"sha256": "02726dfbbdccf0f508d67c5f01c3f7229914b2004b43d746893bff2ee55ce6a4",
"import_time": "2026-06-16T10:17:17.171515082Z",
"source": "kam193"
},
{
"versions": [
"2.1",
"2.21"
],
"id": "pypi/2026-06-easyaillm/easyllmai",
"modified_time": "2026-06-14T07:51:34.671511Z",
"sha256": "514a092cfe1fa955f76069856c32d21a30c0d917d0bf7cea2340a4d147e6a4e3",
"import_time": "2026-06-17T09:49:36.167813633Z",
"source": "kam193"
}
],
"iocs": {
"urls": [
"https://pastebin.com/raw/hEF5HaFc",
"https://pastebin.com/raw/yBcUM1QBs",
"https://pastebin.com/raw/yBcUM1QB",
"http://fixars.top"
],
"domains": [
"fixars.top"
]
}
}{
"ips": [
"172.66.171.73",
"104.20.29.150"
],
"package_integrity": [
{
"filename": "easyllmai-2.21.tar.gz",
"hashes": {
"md5": "9f7f56e25889a650a1fafe0a6d23191a",
"sha256": "a09300fa82ad81296c00f50f87c413a38c0b1093f141d032754ed0bde25844bd",
"blake2b_256": "9354a011f4f12f5f8f93a1d1dd31d34232102338f460244c87b592594b848f90"
}
}
],
"evidence_files": [
{
"tlsh": "3c116713cda7bc9963b1c0405826a850f91197571b91c447b43c435d3f742e189b289c",
"sha256": "5c5ca7f718456748e70ff2233aa79703bd10e853e32e7adc5685c63c61df7153",
"path": "setup.py"
}
],
"domains": [
"pastebin.com"
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/easyllmai/MAL-2026-5766.json"