-= Per source details. Do not edit below this line.=-
During installation, the package exfiltrates env variables
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-ip-rotat
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-env-variables
typosquatting
{
"iocs": {
"domains": [
"gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun"
]
},
"malicious-packages-origins": [
{
"versions": [
"0.0.1"
],
"id": "pypi/2026-06-ip-rotat/mcpsever",
"modified_time": "2026-06-24T06:39:18.746467Z",
"import_time": "2026-06-24T07:47:34.503360553Z",
"sha256": "087fec121d53b905e66a2c368e905de51bc7aa3863f0777589a18d45623d3515",
"source": "kam193"
}
]
}