MAL-2026-6382
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fkaks/MAL-2026-6382.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6382
- Published
- 2026-06-24T06:40:36Z
- Modified
- 2026-06-25T03:31:24.477475033Z
- Summary
- Malicious code in fkaks (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (e44e1f1158eda01d3f18e3a3c01e30ebc9f8f92780ea532a63cf6ed31d8a25d3)
fkaks 0.0.1 ships a setup.py that overrides the install and egginfo commands so that any
pip installorpip downloadof the package unconditionally executes a curl POST to a hardcoded out-of-band collector at http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun. The POST body is built by iterating the entireos.environmapping (env_vars_string = "&".join([f"{key}={value}" for key, value in env_vars.items()])) and concatenating it with the output ofps -elf, harvesting whatever secrets the installer or CI host has in environment variables (cloud credentials such as AWS*, GitHub/registry tokens, CI secrets, SSH agent paths) along with a full process listing. The transport is plaintext HTTP to an interactsh-style oast.fun subdomain — infrastructure typical of OOB exfiltration callbacks. The README's framing of the package as a demo of automatic code execution on pip install does not change the on-the-wire behavior: every installer is attacked.Source: kam193 (69b5a350ae8e5977b5d55e55ac57fb8d3e7c5b72b9d026596ffafeae8996daaf)
During installation, the package exfiltrates env variables
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-ip-rotat
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-env-variables
typosquatting
- Database specific
{ "iocs": { "domains": [ "gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun" ] }, "malicious-packages-origins": [ { "sha256": "69b5a350ae8e5977b5d55e55ac57fb8d3e7c5b72b9d026596ffafeae8996daaf", "import_time": "2026-06-24T07:47:34.501529765Z", "source": "kam193", "modified_time": "2026-06-24T06:40:36.226075Z", "versions": [ "0.0.1" ], "id": "pypi/2026-06-ip-rotat/fkaks" }, { "sha256": "e44e1f1158eda01d3f18e3a3c01e30ebc9f8f92780ea532a63cf6ed31d8a25d3", "import_time": "2026-06-25T03:13:55.541153987Z", "source": "amazon-inspector", "modified_time": "2026-06-25T01:52:10Z", "versions": [ "0.0.1" ], "id": "IN-MAL-2026-007453" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / fkaks
Package
- Name
- fkaks
- View open source insights on deps.dev
- Purl
- pkg:pypi/fkaks
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fkaks/MAL-2026-6382.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "8109d6e2db3830e5a81e1fc703364e0ff69482c091fa9f4d70fc86e1e5b96c56",
"tlsh": "0b316207e0bf19291ec344a0558f13959bc0e3a32f6431fa71fc29191f0b129103b8af",
"path": "setup.py"
}
],
"package_integrity": [
{
"filename": "fkaks-0.0.1-py3-none-any.whl",
"hashes": {
"sha256": "0d1a9c428ec580a1ce047a33493f7d18b516ce82c7de55c8ba04e8234b052cb6",
"md5": "bc554e53e67bef1ecdc9d2ee7832ee8d",
"blake2b_256": "cc27c57b7dbc6fc1ffd3630a8a1eae1b3a384ca39813c04095c8d167170e586f"
}
},
{
"filename": "fkaks-0.0.1.tar.gz",
"hashes": {
"sha256": "b5d25aa8c29da975ca0fc268d602d692ddd8bb88c1413b35c48d0d54da554237",
"md5": "9a5e9489f73d7c10bb97cc7c1da35fd1",
"blake2b_256": "c0ea050155612a258813e41cef33d50535ddda0f2fd173f437f4943a112b4593"
}
}
]
}