MAL-2026-6383
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/gunicorm/MAL-2026-6383.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6383
- Published
- 2026-06-24T06:41:41Z
- Modified
- 2026-06-25T03:31:24.475098200Z
- Summary
- Malicious code in gunicorm (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c97ab7b686dad57c3e1ffd4b86d6a75470164ed15ceedc2b26a4847fb2a331ab)
Package name
gunicormis a single-character edit of the widely-usedgunicornWSGI server and ships no functional code beyond setup.py. setup.py registers custominstallandegg_infocmdclasses so that, onpip installorpip download, the package captures the fullos.environand the output ofps -elf, then POSTs the combined data viacurltohttp://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun(an interactsh OAST collector). Environment variables on developer and CI machines routinely contain AWS keys, registry tokens, and other credentials, all of which are exfiltrated unconditionally to an attacker-controlled endpoint over plain HTTP. The README self-describes the package as a proof-of-concept that runs a command on pip download/install. There is no legitimate functionality.Source: kam193 (91d6bdf640b4cf2b87b464dda65ce3242f4c5c1840f568f0c6b953857c56df57)
During installation, the package exfiltrates env variables
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-ip-rotat
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-env-variables
typosquatting
- Database specific
{ "iocs": { "domains": [ "gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun" ] }, "malicious-packages-origins": [ { "sha256": "91d6bdf640b4cf2b87b464dda65ce3242f4c5c1840f568f0c6b953857c56df57", "import_time": "2026-06-24T07:47:34.50211809Z", "source": "kam193", "modified_time": "2026-06-24T06:41:42.040405Z", "versions": [ "0.0.1" ], "id": "pypi/2026-06-ip-rotat/gunicorm" }, { "sha256": "c97ab7b686dad57c3e1ffd4b86d6a75470164ed15ceedc2b26a4847fb2a331ab", "import_time": "2026-06-25T03:13:55.485395934Z", "source": "amazon-inspector", "modified_time": "2026-06-25T01:51:45Z", "versions": [ "0.0.1" ], "id": "IN-MAL-2026-007452" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / gunicorm
Package
- Name
- gunicorm
- View open source insights on deps.dev
- Purl
- pkg:pypi/gunicorm
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/gunicorm/MAL-2026-6383.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"sha256": "3be94e3ab87f938bd80459243d14e366c60a78af9f5638d8ed34d6272688c774",
"tlsh": "04315007e0bf19291fc354a0558f03959ac0e7a32b6431fa71fc29191f0a129103b9af",
"path": "setup.py"
}
],
"package_integrity": [
{
"filename": "gunicorm-0.0.1-py3-none-any.whl",
"hashes": {
"sha256": "4db44b41e9d8fa8da53d5654e93457e161575acaefebddc7080d9ea06d69c066",
"md5": "aa068ca313c3472d9b770ff6896b3ea7",
"blake2b_256": "91d9ad37007257559efd4edd62a5bcaf1e4c18a372a99bcf81a3daa9c140fe2a"
}
},
{
"filename": "gunicorm-0.0.1.tar.gz",
"hashes": {
"sha256": "935bb1c3adc194cbc37c2b648ca0af485b439b046a8a6f76ef63139f95ac6376",
"md5": "0ce1fcada799f0f9ae9d4b404774704c",
"blake2b_256": "082363ab0b2c87914a4ea2321d0d8372f25d2d102b947ad24ad17dfe78a8f182"
}
}
]
}