MAL-2026-6080
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/boardflow/MAL-2026-6080.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6080
- Published
- 2026-06-17T20:52:04Z
- Modified
- 2026-06-17T22:01:48.845603210Z
- Summary
- Malicious code in boardflow (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86)
On
pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and executes it via subprocess.Popen with shell=True, suppressing stdout/stderr. The destination domain is unrelated to the package's advertised purpose (a CLI Kanban tool), the URL is unpinned and unverified (no hash, no signature, plain HTTP allowing MITM tampering), and the fetched.exe is attacker-controlled content executed with the privileges of the installing user. This is a classic install-time dropper that yields arbitrary remote code execution on every installer's machine.Source: kam193 (1ca250ab62e505dc679b9930d0ea3259c0e1bad68eee5690f9d434d1a8f1077e)
During installation, package downloads and executes a remote executable identified as infostealer. The executable contains a VSCode extension with a modified code variant that during initialization downloads and executes a JS script from hardcoded location. During analysis, the script was inaccessible.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-boardflow
Reasons (based on the campaign):
infostealer
The package overrides the install command in setup.py to execute malicious code during installation.
Downloads and executes a remote executable.
malware
- Database specific
{ "malicious-packages-origins": [ { "sha256": "7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86", "source": "amazon-inspector", "modified_time": "2026-06-17T20:52:04Z", "versions": [ "1.0.1" ], "id": "IN-MAL-2026-006940", "import_time": "2026-06-17T21:42:17.733985712Z" }, { "sha256": "1ca250ab62e505dc679b9930d0ea3259c0e1bad68eee5690f9d434d1a8f1077e", "source": "kam193", "modified_time": "2026-06-17T21:12:22.966397Z", "versions": [ "1.0.0", "1.0.1" ], "id": "pypi/2026-06-boardflow/boardflow", "import_time": "2026-06-17T21:42:20.126853462Z" } ], "iocs": { "domains": [ "urmomthabomb.com", "pooron.org" ], "urls": [ "https://www.urmomthabomb.com/2pro.js", "http://pooron.org/test.exe" ] } }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / boardflow
Package
- Name
- boardflow
- View open source insights on deps.dev
- Purl
- pkg:pypi/boardflow
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/boardflow/MAL-2026-6080.json"
indicators
{
"evidence_files": [
{
"sha256": "7c9e62853e330bdd0ee343b0156f8faf35d3b3d97e5c8701a833b69b1f1994b1",
"tlsh": "42f02483cc1b512080e09424a10278f2ebb34007eb4785e674acc6746f7ac368258eae",
"path": "setup.py"
}
],
"package_integrity": [
{
"hashes": {
"sha256": "6b3a8976e25925930bef87f68d56bfb7902c2d795f36e924200c062bf69774bc",
"blake2b_256": "a8543b124e8d4290c9591d56be2050a5c0b13ffd731064c1b69a46e09b53e306",
"md5": "b27fb50a44091c71c3b4b9e9e9940d1e"
},
"filename": "boardflow-1.0.1-py3-none-any.whl"
},
{
"hashes": {
"sha256": "e10755a1543547c8bae88fce723760b17994e5fe40a37638e184ca157e2791be",
"blake2b_256": "2fe9173ec8f801bb7781a36c0fb1f497102c9fa3cd55dad90d4e69c8a79447aa",
"md5": "f625a70424fa3450d0319229dbf53a03"
},
"filename": "boardflow-1.0.1.tar.gz"
}
]
}