MAL-2026-6290
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/toorc/MAL-2026-6290.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6290
- Published
- 2026-06-23T12:07:57Z
- Modified
- 2026-06-24T08:01:23.155052674Z
- Summary
- Malicious code in toorc (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2cfd36909e089f17439dd3227c6f5ccef2fef2964dc26bbdbaaef0481b54615d)
On
pip install(and evenpip download), the package's setup.py overrides theinstallandegg_infocommands to execute a RunCommand() routine that serializes every entry inos.environinto a key=value query string and captures the output ofps -elf. The combined payload is then POSTed via curl over plaintext HTTP tohttp://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun, a unique subdomain on the public interactsh out-of-band testing service. Any CI/build secrets present in the environment at install time (AWS_*, GITHUBTOKEN, NPMTOKEN, CI provider tokens, etc.) leak to the attacker-controlled OAST listener, along with a snapshot of running processes on the host.Source: kam193 (02334bfe46d6509e7900323066c5bb2eda0d5a34a6906cee5ccca3abaecb3ade)
During installation, the package exfiltrates env variables
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-ip-rotat
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-env-variables
typosquatting
- Database specific
{ "iocs": { "domains": [ "gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun" ] }, "malicious-packages-origins": [ { "sha256": "f9b8be8a4e20e24b88630f331f4bdd7bc66e208558ece25843aecc7a8110b4b4", "import_time": "2026-06-23T13:28:20.42407085Z", "source": "kam193", "modified_time": "2026-06-23T12:07:57.927156Z", "versions": [ "0.0.1" ], "id": "pypi/2026-06-ip-rotat/toorc" }, { "sha256": "2cfd36909e089f17439dd3227c6f5ccef2fef2964dc26bbdbaaef0481b54615d", "import_time": "2026-06-23T19:40:40.275534309Z", "source": "amazon-inspector", "modified_time": "2026-06-23T18:58:00Z", "versions": [ "0.0.1" ], "id": "IN-MAL-2026-007334" }, { "sha256": "02334bfe46d6509e7900323066c5bb2eda0d5a34a6906cee5ccca3abaecb3ade", "import_time": "2026-06-24T07:47:34.503935521Z", "source": "kam193", "modified_time": "2026-06-23T12:07:57.927156Z", "versions": [ "0.0.1" ], "id": "pypi/2026-06-ip-rotat/toorc" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / toorc
Package
- Name
- toorc
- View open source insights on deps.dev
- Purl
- pkg:pypi/toorc
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/toorc/MAL-2026-6290.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "e3e6401df3a293e4d7511661d7a71b6f6dace4b74bc9dd394c01647ae3848313",
"tlsh": "a8316207e0bf29291ec354a0558f03959bc0e3a32f6431fa71fc29191f0b129503b8af",
"path": "setup.py"
}
],
"package_integrity": [
{
"filename": "toorc-0.0.1-py3-none-any.whl",
"hashes": {
"sha256": "c8ead1ac2162b136fe0babfc1f6f34f4e3d9f499fc3f808e17db9ecf55e1ba5e",
"md5": "87b8e80085e5c76fce43e6ee293a583d",
"blake2b_256": "8bffdd9a7245f0f8e1b80d434a0432079bd32d9e055a6e3472014d3eeaa593e9"
}
},
{
"filename": "toorc-0.0.1.tar.gz",
"hashes": {
"sha256": "aa94fe4ea2cab90497da15cd24b5c24be34a29d8b7b1ae1cb5efbb2091f843d2",
"md5": "2aea2d99b8acf3bf0a5734cbd7f77e84",
"blake2b_256": "3d0684e0af55f5e3ccf134f7fe1d2efed1369b8085f3ec68077daa0c3a2ef65b"
}
}
]
}