MAL-2026-6488

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyext6cc8cd/MAL-2026-6488.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6488
Published
2026-06-25T22:45:45Z
Modified
2026-06-25T23:16:24.389063043Z
Summary
Malicious code in pyext6cc8cd (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f98319eaa02d50e8a098d9cfaaca054df5acc8238dd08b2e24899f700e029a07)

On pip install, setup.py decodes a hex string via bytes.fromhex("6f70656e202d612043616c63756c61746f72").decode().split() to the argv open -a Calculator and executes it through subprocess.Popen before setuptools.setup() is called. The command runs unconditionally as part of the install lifecycle. The package metadata is placeholder (Author, Home-page, and Description are all 'UNKNOWN') and the package ships no functional code, so this is a proof-of-concept / test artifact demonstrating arbitrary install-time command execution. While the decoded payload here only opens macOS Calculator, the hex obfuscation of the argv is a deliberate technique to evade scanners that grep setup.py for literal command strings, and the same primitive trivially swaps to a destructive or exfiltration payload. Installers should treat this version as untrusted install-time code execution.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007566",
            "modified_time": "2026-06-25T22:45:45Z",
            "import_time": "2026-06-25T23:00:34.943587111Z",
            "sha256": "f98319eaa02d50e8a098d9cfaaca054df5acc8238dd08b2e24899f700e029a07",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

PyPI / pyext6cc8cd

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyext6cc8cd/MAL-2026-6488.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "pyext6cc8cd-1.0.0.tar.gz",
            "hashes": {
                "md5": "055eed3d1f38d187dc43875a71cd0e18",
                "sha256": "74e9e3f93c39a9e43e1dd44b2325a0efac64594ca200265ee0173432799558c2",
                "blake2b_256": "5329c96214c672eb2d3eeacb316f7000f93cb84d0396e853b55d17aa52b5cd19"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "setup.py",
            "sha256": "94e6e11ef84a7100db3ea720d1cd2e7907e279b4d7a1494eb636794616c5ad11",
            "tlsh": "f6c022924927eaf920bcc2f80e8040e12e34aa151b03ca681a4627a2038e0b0ae18044"
        }
    ]
}