MAL-2026-6289
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/equest/MAL-2026-6289.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6289
- Published
- 2026-06-23T12:07:23Z
- Modified
- 2026-06-23T19:46:24.488379826Z
- Summary
- Malicious code in equest (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (cfe07e7f1e241dde491d3d6f5553ed2247a6f8e1dfdf34b0eaa9943a2cba5094)
The package name
equestis a one-character deletion of the widely-usedrequestspackage and ships no functional library code. setup.py registers custom install and egg_info cmdclasses so that onpip installorpip download, the package collects the full process environment (os.environserialized askey=valuepairs) and the output ofps -elf, then POSTs both tohttp://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.funvia curl over plaintext HTTP. The destination is an Interactsh (oast.fun) collector subdomain controlled by the publisher. Any CI/build secrets present in the installer's environment at install time (cloud credentials, registry tokens, GitHub tokens, database credentials) are leaked to the attacker, and the running process list reveals additional host context. The README self-describes the package as a proof-of-concept of arbitrary code execution viapip install.Source: kam193 (2bb3fce5427fc5a0a72380cf59e8396bf3409ceaead44f6a2df757f125b6e287)
During installation, the package exfiltrates env variables
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-ip-rotat
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-env-variables
- Database specific
{ "iocs": { "domains": [ "gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun" ] }, "malicious-packages-origins": [ { "sha256": "2bb3fce5427fc5a0a72380cf59e8396bf3409ceaead44f6a2df757f125b6e287", "import_time": "2026-06-23T13:28:20.413460091Z", "source": "kam193", "modified_time": "2026-06-23T12:07:23.994682Z", "versions": [ "0.0.1" ], "id": "pypi/2026-06-ip-rotat/equest" }, { "sha256": "cfe07e7f1e241dde491d3d6f5553ed2247a6f8e1dfdf34b0eaa9943a2cba5094", "import_time": "2026-06-23T19:40:40.094438157Z", "source": "amazon-inspector", "modified_time": "2026-06-23T18:57:43Z", "versions": [ "0.0.1" ], "id": "IN-MAL-2026-007333" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / equest
Package
- Name
- equest
- View open source insights on deps.dev
- Purl
- pkg:pypi/equest
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/equest/MAL-2026-6289.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "8bc5d48164d98e2402425cd2bbde0c572dc087fff7dce610665f8aae944a3fc1",
"tlsh": "1f315e07e0bf29291ac354a0558f03959bc0e3a32b6431fab2fc29191f0a129103b8af",
"path": "setup.py"
},
{
"tlsh": "0ba024147c30443345f505053c1403350370530c345f4c3c50150f004750054d0dc071",
"sha256": "9966ff2a0a7599ad6d8ca74949977a50f579f49a5138e4e331b9e55dd8e4d32c",
"path": "PKG-INFO"
}
],
"package_integrity": [
{
"filename": "equest-0.0.1-py3-none-any.whl",
"hashes": {
"sha256": "a0fa76f33b41ae3d1b1d0ba0954a0881222bc3330ba4e12405bcc34fd4b3e32e",
"md5": "c61a05ffa3b6b55df1ddbc3fb7c4ab5b",
"blake2b_256": "d6c1e286eeba2c76b9aba625730c1902ba74d72c71a7b0b4ed05f2b70b90088c"
}
},
{
"filename": "equest-0.0.1.tar.gz",
"hashes": {
"sha256": "1673a0ce03f6867e139a0a182bf09078d9fc0c5a124ab9c36843f65dad5db47f",
"md5": "86eb9ea08ebe6e4f2a3363de45663136",
"blake2b_256": "18be4ac8c7376cc802cc362475833ae270f98eac334f7a15f57de9a6ca0dc8b6"
}
}
]
}