MAL-2026-5812

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/hello-test-s1/MAL-2026-5812.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5812
Published
2026-06-15T17:39:49Z
Modified
2026-07-08T20:47:14.514918277Z
Summary
Malicious code in hello-test-s1 (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e168a49ebd07050fbf35d1cd9714b289903c0593b9bdef27874f975be60461b7)

The package was found to contain malicious code or consuming dependency that contains malicious code

Source: kam193 (3e38aef2a7eaa434284aa00122cf429e1a1a07658e02afec7bb3690d7cbfe9ec)

During installation or importing the module, the package starts a reverse shell to hardcoded locatiom


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-12-aiogram-sever-patch

Reasons (based on the campaign):

  • The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • dependency-confusion

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1.0",
                "0.3.0",
                "0.3.1"
            ],
            "id": "pypi/2025-12-aiogram-sever-patch/hello-test-s1",
            "import_time": "2026-06-15T18:54:58.629045299Z",
            "sha256": "3e38aef2a7eaa434284aa00122cf429e1a1a07658e02afec7bb3690d7cbfe9ec",
            "modified_time": "2026-06-15T17:41:54.234691Z",
            "source": "kam193"
        },
        {
            "versions": [
                "0.1.0"
            ],
            "id": "IN-MAL-2026-008358",
            "import_time": "2026-07-08T20:32:18.232258944Z",
            "modified_time": "2026-07-08T19:58:36Z",
            "sha256": "e168a49ebd07050fbf35d1cd9714b289903c0593b9bdef27874f975be60461b7",
            "source": "amazon-inspector"
        }
    ],
    "iocs": {
        "ips": [
            "147.45.124.42"
        ]
    }
}
References
Credits

Affected packages

PyPI / hello-test-s1

Package

Affected ranges

Affected versions

0.*
0.1.0
0.3.0
0.3.1

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "hello_test_s1-0.1.0.tar.gz",
            "hashes": {
                "md5": "9016bb98c1672cc69f6e51046457fdeb",
                "sha256": "7533e42e21b798b347fbe513c9ada141a95bfda5130033cc5dc30ff5172ab6c7",
                "blake2b_256": "10f661f6fe847ea79af099c902328a9d12dcb6e031edb3721df9ada21c54192c"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/hello-test-s1/MAL-2026-5812.json"