MAL-2026-5876

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/temp-development-package-test/MAL-2026-5876.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5876

Published

2026-06-16T09:48:43Z

Modified

2026-06-17T10:00:59.185135282Z

Summary

Malicious code in temp-development-package-test (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878)

Starting with version 0.4, package installs a sitecustomize.py that executes during Python engine initialization. The embeded code uses mshta to download malicious code, as in other packages from the campaign.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-easyaillm

Reasons (based on the campaign):

Downloads and executes a remote executable.
obfuscation
malware
tool:mshta

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-06-easyaillm/temp-development-package-test",
            "import_time": "2026-06-16T10:17:17.181851951Z",
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4"
            ],
            "source": "kam193",
            "modified_time": "2026-06-16T09:48:43.333965Z",
            "sha256": "e3c86f2cd8d50f754a3ad16c1daeda56d43f655d6025fa24c7fa91bcbdfd84dc"
        },
        {
            "id": "pypi/2026-06-easyaillm/temp-development-package-test",
            "import_time": "2026-06-16T12:17:04.382979281Z",
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4"
            ],
            "source": "kam193",
            "sha256": "dcb57e25c8993eacafd70b6d4add3460419c7f2c7083ee50397700f1e1238d4c",
            "modified_time": "2026-06-16T09:48:43.333965Z"
        },
        {
            "id": "pypi/2026-06-easyaillm/temp-development-package-test",
            "import_time": "2026-06-17T09:49:36.178013694Z",
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4"
            ],
            "source": "kam193",
            "modified_time": "2026-06-16T09:48:43.333965Z",
            "sha256": "5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878"
        }
    ],
    "iocs": {
        "urls": [
            "https://pastebin.com/raw/hEF5HaFc",
            "https://pastebin.com/raw/yBcUM1QBs",
            "https://pastebin.com/raw/yBcUM1QB",
            "http://fixars.top",
            "https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe",
            "http://62.60.226.243/public_files/98r4aXA.txt",
            "http://62.60.226.243/public_files/16sas.jpg?12711313"
        ],
        "domains": [
            "fixars.top"
        ]
    }
}

References

Credits

- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / temp-development-package-test

Package

Name: temp-development-package-test; View open source insights on deps.dev
Purl: pkg:pypi/temp-development-package-test

Affected ranges

Affected versions

0.*

0.1

0.2

0.3

0.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/temp-development-package-test/MAL-2026-5876.json"