MAL-2026-5876

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/temp-development-package-test/MAL-2026-5876.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5876
Published
2026-06-16T09:48:43Z
Modified
2026-07-09T16:32:06.444795494Z
Summary
Malicious code in temp-development-package-test (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (14f3eeecfabfcb249c5f6ec2a20824355ac313ab18c677334076ca9501607ec8)

At install time, setup.py invokes installsitecustomize(), which copies src/tempdevelopmentpackagetest/setup/sitecustomize.py into Python's purelib site-packages directory as sitecustomize.py (setup.py:34 destination = sitepackages / "sitecustomize.py"; setup.py:36 shutil.copy2(source, destination)). Python auto-imports sitecustomize on every interpreter startup, so this places an interpreter-wide hook outside the package's own namespace that fires for every subsequent Python process on the host — a classic persistence mechanism. The hook payload file is not actually shipped in this 0.2 sdist, so the install would currently raise FileNotFoundError, but the install-time mechanism and intent to write a global hook are unambiguous. The package metadata corroborates a throwaway / probe release: name, author, and summary are all the literal placeholder 'tempdevelopmentpackagetest'; setup.py imports base64 but never uses it; cli.py imports from an unrelated, undeclared module 'pg_agent.orchestration.coordinator'. The combination — placeholder identity plus install-time write of a global interpreter hook — is not a legitimate package shape.

Source: kam193 (5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878)

Starting with version 0.4, package installs a sitecustomize.py that executes during Python engine initialization. The embeded code uses mshta to download malicious code, as in other packages from the campaign.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-easyaillm

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • obfuscation

  • malware

  • tool:mshta

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4"
            ],
            "id": "pypi/2026-06-easyaillm/temp-development-package-test",
            "modified_time": "2026-06-16T09:48:43.333965Z",
            "import_time": "2026-06-16T10:17:17.181851951Z",
            "sha256": "e3c86f2cd8d50f754a3ad16c1daeda56d43f655d6025fa24c7fa91bcbdfd84dc",
            "source": "kam193"
        },
        {
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4"
            ],
            "id": "pypi/2026-06-easyaillm/temp-development-package-test",
            "modified_time": "2026-06-16T09:48:43.333965Z",
            "import_time": "2026-06-16T12:17:04.382979281Z",
            "sha256": "dcb57e25c8993eacafd70b6d4add3460419c7f2c7083ee50397700f1e1238d4c",
            "source": "kam193"
        },
        {
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4"
            ],
            "id": "pypi/2026-06-easyaillm/temp-development-package-test",
            "modified_time": "2026-06-16T09:48:43.333965Z",
            "import_time": "2026-06-17T09:49:36.178013694Z",
            "sha256": "5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878",
            "source": "kam193"
        },
        {
            "versions": [
                "0.1"
            ],
            "id": "IN-MAL-2026-008838",
            "modified_time": "2026-07-08T22:40:32Z",
            "import_time": "2026-07-08T22:51:26.349905541Z",
            "sha256": "d13efa8d6d49d2f7018bd432d115e87064d4e2ad8a9cc56e00d9514739f178ae",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "0.3"
            ],
            "id": "IN-MAL-2026-008993",
            "modified_time": "2026-07-08T23:03:11Z",
            "import_time": "2026-07-08T23:27:58.005381709Z",
            "sha256": "126aa8a85eddebf7fb68ce845c1fe85e9991a6584da5fe768aa4ffb1bd089592",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "0.2"
            ],
            "id": "IN-MAL-2026-009170",
            "modified_time": "2026-07-09T15:38:38Z",
            "import_time": "2026-07-09T16:20:47.772482618Z",
            "sha256": "14f3eeecfabfcb249c5f6ec2a20824355ac313ab18c677334076ca9501607ec8",
            "source": "amazon-inspector"
        }
    ],
    "iocs": {
        "urls": [
            "https://pastebin.com/raw/hEF5HaFc",
            "https://pastebin.com/raw/yBcUM1QBs",
            "https://pastebin.com/raw/yBcUM1QB",
            "http://fixars.top",
            "https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe",
            "http://62.60.226.243/public_files/98r4aXA.txt",
            "http://62.60.226.243/public_files/16sas.jpg?12711313"
        ],
        "domains": [
            "fixars.top"
        ]
    }
}
References
Credits

Affected packages

PyPI / temp-development-package-test

Package

Name
temp-development-package-test
View open source insights on deps.dev
Purl
pkg:pypi/temp-development-package-test

Affected ranges

Affected versions

0.*
0.1
0.2
0.3
0.4

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "temp_development_package_test-0.1.tar.gz",
            "hashes": {
                "md5": "379a9f9b285bd0d4ee912cfa2706dcf4",
                "sha256": "f970296e2960b874e1367f13a31089fc080c25d4bd419a1fe8040113d647260b",
                "blake2b_256": "beda7811e6f950f492dab1b1c55f19333325ee6edc099909c7c4ff5ffd3bb900"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "193f7b99ed544d86d40f6860997d9f664acb03382ffd4462c29181fea1b64643",
            "tlsh": "3321d02b8477baf454e25d545e265822faa7d33fed2040ceb6bc83582f7140586a78ac",
            "path": "setup.py"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/temp-development-package-test/MAL-2026-5876.json"