MAL-2026-6489

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/extra-huggingface/MAL-2026-6489.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6489

Published

2026-06-25T22:49:25Z

Modified

2026-06-26T01:16:24.790286709Z

Summary

Malicious code in extra-huggingface (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c76a4e01b00801049375b9e60419bfba79f9b0afbb02aab5b4117f989296c5d3)

The package presents itself as part of the Hugging Face ecosystem but actually ships a remote-access agent. extra_huggingface/__init__.py re-exports run_agent, run_task, agent_info, and a persistence primitive from a bundled 8.5 MB Windows PE module extra_huggingface/_native.pyd. The CLI hardcodes DEFAULT_SERVER = "http://91.92.40.212:8080" and provides subcommands run, install-autostart, remove-autostart, and autostart-status. When invoked, run_agent(server=...) polls the attacker-controlled server at 91.92.40.212:8080 and dispatches tasks delivered by that server on the installer's machine; install_autostart() calls the native persistence("install", server) to register the agent for execution after login/boot so the C2 connection survives reboot. The actual networking, command dispatch, and persistence logic live in the opaque native binary, with the Python layer acting as a thin shim. The package name impersonates the popular huggingface/huggingface_hub namespace while the metadata homepage is the placeholder github.com/example/extra_huggingface, consistent with a typosquat lure targeting ML developers.

Source: kam193 (4ebe54bed2c64bd1c1da46c59e7f1c4bb35b0ca64f9bbe5529c63a7a82eaef7c)

When starting the module, package activates RAT-capabilities, which includes exfiltrating sensitive data. Though the package is claimed to be for educational usage, the name and default actions suggest different intentions.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-extra-huggingface

Reasons (based on the campaign):

rat
exfiltration-browser-data
typosquatting
native-extension
persistence
infostealer

Database specific

{
    "iocs": {
        "urls": [
            "http://91.92.40.212:8080"
        ],
        "ips": [
            "91.92.40.212"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "4ebe54bed2c64bd1c1da46c59e7f1c4bb35b0ca64f9bbe5529c63a7a82eaef7c",
            "import_time": "2026-06-25T23:38:17.423588537Z",
            "source": "kam193",
            "modified_time": "2026-06-25T22:49:25.965933Z",
            "versions": [
                "0.4.0"
            ],
            "id": "pypi/2026-06-extra-huggingface/extra-huggingface"
        },
        {
            "sha256": "c76a4e01b00801049375b9e60419bfba79f9b0afbb02aab5b4117f989296c5d3",
            "import_time": "2026-06-26T00:59:26.009043144Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-26T00:43:07Z",
            "versions": [
                "0.4.0"
            ],
            "id": "IN-MAL-2026-007575"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / extra-huggingface

Package

Name: extra-huggingface; View open source insights on deps.dev
Purl: pkg:pypi/extra-huggingface

Affected ranges

Affected versions

0.*

0.4.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/extra-huggingface/MAL-2026-6489.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "34410344ac5718220fc7869d6c646a1543316e43090ff81cbaec26a42f5f53ba1e76fd",
            "sha256": "f963ba3f6ad8758b299c115e0bce66d057a6795bae30a0b7d4564a67e2f1a751",
            "path": "extra_huggingface/cli.py"
        },
        {
            "sha256": "ac7f9cb22d5703432dc0feff4f38c88b5c6ed153deff2a1e676d83ff687d1eda",
            "tlsh": "8d114cc6f47bac734fed93691043a751a7f409934d59a438f6fb11a81b0b02a42620fd",
            "path": "extra_huggingface/__init__.py"
        },
        {
            "sha256": "ac9ec40e2851c24013c60547d4cff27fd0b961c9075dcb15b45fb6797c9308c5",
            "tlsh": "4b01968304c95ef42fd3090b625c4d0588324e69564f18dcb9fa8a1fd592ab3403c17c",
            "path": "extra_huggingface-0.4.0.dist-info/METADATA"
        }
    ],
    "package_integrity": [
        {
            "filename": "extra_huggingface-0.4.0-cp311-abi3-win_amd64.whl",
            "hashes": {
                "sha256": "f8fd7fb9d5f2f750edef61cd4840f19e2505e2cf9efed8e60c8ad720e33afeac",
                "md5": "07c2a15a40f42805105d91f472846b25",
                "blake2b_256": "b39ec67d44f1406eb81753375ec21012a4837b1eebd4460dc1b896aa772e1ae8"
            }
        }
    ]
}