MAL-2026-5840

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/testpackagemanyhttpsgo/MAL-2026-5840.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5840
Published
2026-06-15T22:00:38Z
Modified
2026-06-17T10:00:59.246619551Z
Summary
Malicious code in testpackagemanyhttpsgo (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (336f39e218fe5b5a09ef8ee7757efa7a0ca73c0fe6571bc232d735448499a950)

At install time, setup.py fetches https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe via urllib, writes the response to disk, and executes it with os.system("cmd /c start 6a306c5f03a52.exe"). tmpfiles.org is an anonymous, throwaway file-hosting service; the URL is unpinned and unverified, the payload is an opaque Windows executable, and the package's metadata (author and description both equal to the package name) is placeholder content consistent with a throwaway publisher account. Any Windows host running pip install for this package will fetch and execute attacker-controlled bytes automatically, with no opt-in or verification.

Source: kam193 (d330f7ba94bdfb53c05235fa9b278688ada43c2fe207ccc51e977afbc227333c)

During installation, the code attempts to download and start a malicious executable.

Likely related to 2025-08-raknet-testing-package.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-easyaillm

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • obfuscation

  • malware

  • tool:mshta

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "e58c0178b75445617a5eb6ea340e797c86e324d07063e57b9fc4d3eaa5e2c0d9",
            "id": "pypi/2026-06-easyaillm/testpackagemanyhttpsgo",
            "import_time": "2026-06-15T22:45:32.267135758Z",
            "modified_time": "2026-06-15T22:00:40.18636Z",
            "versions": [
                "2.26"
            ],
            "source": "kam193"
        },
        {
            "sha256": "336f39e218fe5b5a09ef8ee7757efa7a0ca73c0fe6571bc232d735448499a950",
            "id": "IN-MAL-2026-006743",
            "import_time": "2026-06-16T03:49:20.022421071Z",
            "modified_time": "2026-06-16T02:55:47Z",
            "versions": [
                "2.26"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "2.26"
            ],
            "id": "pypi/2026-06-easyaillm/testpackagemanyhttpsgo",
            "import_time": "2026-06-16T10:17:17.182692618Z",
            "sha256": "559b34e692c8774c8d4e07cda7c26abefcb40c559158bbdf0179710702ddcca4",
            "modified_time": "2026-06-15T22:00:40.18636Z",
            "source": "kam193"
        },
        {
            "sha256": "d330f7ba94bdfb53c05235fa9b278688ada43c2fe207ccc51e977afbc227333c",
            "id": "pypi/2026-06-easyaillm/testpackagemanyhttpsgo",
            "import_time": "2026-06-17T09:49:36.178896005Z",
            "modified_time": "2026-06-15T22:00:40.18636Z",
            "versions": [
                "2.26"
            ],
            "source": "kam193"
        }
    ],
    "iocs": {
        "urls": [
            "https://pastebin.com/raw/hEF5HaFc",
            "https://pastebin.com/raw/yBcUM1QBs",
            "https://pastebin.com/raw/yBcUM1QB",
            "http://fixars.top",
            "https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe"
        ],
        "domains": [
            "fixars.top"
        ]
    }
}
References
Credits

Affected packages

PyPI / testpackagemanyhttpsgo

Package

Name
testpackagemanyhttpsgo
View open source insights on deps.dev
Purl
pkg:pypi/testpackagemanyhttpsgo

Affected ranges

Affected versions

2.*
2.26

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "testpackagemanyhttpsgo-2.26.tar.gz",
            "hashes": {
                "md5": "9f36a52c008332882b77f33a948cbe36",
                "sha256": "5b1d23e716f32c271d330edb7b12bd3e6a439d01404c83e67e67ee4d121287be",
                "blake2b_256": "9041efb88eb13129da361eb0252fd252089f4e47bdca31a8534f712d18b707f9"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "4d222f40c5eb66ef90be09fc28859ca74c0c9279ed84c35f145a8337676a7cd5",
            "tlsh": "071123538cd6621990b0484099305425faa6e35f6b10c4c7b03d432c7ff88a185a7458",
            "path": "setup.py"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/testpackagemanyhttpsgo/MAL-2026-5840.json"