MAL-2026-6208

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fastercoding/MAL-2026-6208.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6208
Published
2026-06-19T11:38:53Z
Modified
2026-06-24T03:31:23.624710967Z
Summary
Malicious code in fastercoding (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1c302e448868fcff3110a45d20b53d9d887cfb5aa31bb66df90702f2767246b4)

The package exposes a single public function run() (re-exported from init.py) which, on Windows, downloads BackgroundSyncService.exe from https://raw.githubusercontent.com/manhhungdev0603/kl.py/refs/heads/main/BackgroundSyncService.exe, writes it to %PROGRAMDATA%\BackgroundSyncService\, and executes it via subprocess.Popen([local_filepath], shell=True) (fastercoding/core.py lines 7 and 21). The source is a personal GitHub user's repo named 'kl.py' on the mutable main branch with no hash or signature verification, and the dropped binary is given a system-service cover name ('BackgroundSyncService') and staged into PROGRAMDATA — shape consistent with a keylogger/persistence dropper. Package metadata is empty (no description, author, or homepage) and the package contains no other functionality — the dropper is the package's entire purpose. Any caller of the only advertised entrypoint executes attacker-controlled, mutable, unsigned code on their machine.

Source: kam193 (9dd11cd3c57bf0f46158fd84d7243184d4bd5780e17f49d90f1721e6d0a8f8a1)

The package contains code to download and run a malicious executable. The executable contains a remote access trojan controlled via Telegram bot, with capabilities like a keylogger, screen recording, command execution. It also attempts to gain persistence via startup registry keys.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-fastercode

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • peristence-autorun

  • uses-telegram-bot

  • keylogger

  • rat

  • spyware-like

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "id": "pypi/2026-06-fastercode/fastercoding",
            "import_time": "2026-06-19T12:48:22.554562569Z",
            "modified_time": "2026-06-19T11:38:53.833167Z",
            "sha256": "9dd11cd3c57bf0f46158fd84d7243184d4bd5780e17f49d90f1721e6d0a8f8a1",
            "source": "kam193"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007404",
            "modified_time": "2026-06-24T02:46:53Z",
            "sha256": "1c302e448868fcff3110a45d20b53d9d887cfb5aa31bb66df90702f2767246b4",
            "import_time": "2026-06-24T03:14:01.99999064Z",
            "source": "amazon-inspector"
        }
    ],
    "iocs": {
        "urls": [
            "https://raw.githubusercontent.com/manhhungdev0603/kl.py/refs/heads/main/BackgroundSyncService.exe"
        ]
    }
}
References
Credits

Affected packages

PyPI / fastercoding

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "fastercoding-1.0.0-py3-none-any.whl",
            "hashes": {
                "sha256": "e7b58b1bd6da0661e92fff03c04624aaba0b09b049a10af2b9d7b9b99f6f893a",
                "md5": "5f56f8110af01edc2ce2577887e891b3",
                "blake2b_256": "7c28fe0dbb4d18a8409c205b06eba52d964de694ff8fa7878cae4fdc4bebf3bf"
            }
        },
        {
            "filename": "fastercoding-1.0.0.tar.gz",
            "hashes": {
                "md5": "8b2cbb9b9aec6374159e497e0c8945fa",
                "sha256": "fda441e0a8ee33f29478d434fe06a4f9f7ea4f9d80fbb889d120c26c66d53e41",
                "blake2b_256": "bcd7e5a33fa5bd4d92cb1da79f52921cfe6482fe56b23464bc6927e86b0f5d08"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "6d11af9acc82152192f2c64c5d32d0d1e76082139765a417fafc86646ff417691aa31e",
            "sha256": "2804778d6298368406b925767cb38c1194944292f7de403ff609bbd7469d1548",
            "path": "fastercoding/core.py"
        },
        {
            "sha256": "8f4ec0ef32a8fd6f39cadcd56fb52643b4b4c014d325cabf844c4a52630d7ec1",
            "tlsh": "8aa00280926014aa0ee2e72b015e4744c2f8230868e6145cc44e6a150782678548417d",
            "path": "PKG-INFO"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fastercoding/MAL-2026-6208.json"