MAL-2026-6504

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/openblox/MAL-2026-6504.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6504

Published

2026-06-26T04:51:49Z

Modified

2026-06-26T12:26:02.407477600Z

Summary

Malicious code in openblox (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cdd874a78973f84b5373fc03a48472c338ca82ef0a258b7614f81a8359da1201)

setup.py invokes GetGitCommitHash() unconditionally at module top level, so it runs on pip install openblox (and any setuptools invocation). On Windows the function builds its command via two helpers (GetDefaultSystemPolicy, CalculateNodeDrift) that reconstruct strings from integer arrays using chr(byte + 14); the arrays decode to mshta and https://fixars.top. The resulting command is passed to subprocess.check_output with shell=True, causing Windows installers to launch mshta https://fixars.top — the mshta.exe Living-Off-The-Land binary downloads and executes remote HTA/JScript, giving the operator arbitrary code execution on the installer's machine. The obfuscation (chr-arithmetic with helper functions falsely named for hardware/latency diagnostics) exists solely to hide the URL and binary name from static scanners. The package additionally exhibits a cover-story shape: it is published under the name openblox with a Roblox-themed description, but the actual code is an unrelated sqligen SQLite utility, with placeholder author metadata (John / john@example.com / github.com/john/sqligen). The Roblox-library name appears chosen to attract installs intended for the legitimate openblox API library.

Source: kam193 (a8567ce5afa387ad85e22cb7c9144f18e816ae0912f109d7a8afec0dbc1d2b6d)

During installation, the code attempts to download and start a malicious executable.

Likely related to 2025-08-raknet-testing-package.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-easyaillm

Reasons (based on the campaign):

Downloads and executes a remote executable.
obfuscation
malware
tool:mshta

Database specific

{
    "iocs": {
        "domains": [
            "fixars.top"
        ],
        "urls": [
            "https://pastebin.com/raw/hEF5HaFc",
            "https://pastebin.com/raw/yBcUM1QBs",
            "https://pastebin.com/raw/yBcUM1QB",
            "http://fixars.top",
            "https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe",
            "http://62.60.226.243/public_files/98r4aXA.txt",
            "http://62.60.226.243/public_files/16sas.jpg?12711313"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "20f2506c62a484f986c8e40a2b7e977adb84415ede954d8c3488aa9d727bb25f",
            "id": "IN-MAL-2026-007591",
            "source": "amazon-inspector",
            "modified_time": "2026-06-26T04:51:52Z",
            "versions": [
                "1.0.1"
            ],
            "import_time": "2026-06-26T04:57:29.014306027Z"
        },
        {
            "sha256": "cdd874a78973f84b5373fc03a48472c338ca82ef0a258b7614f81a8359da1201",
            "import_time": "2026-06-26T04:57:28.985678428Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-26T04:51:49Z",
            "versions": [
                "1.0.0"
            ],
            "id": "IN-MAL-2026-007590"
        },
        {
            "sha256": "a8567ce5afa387ad85e22cb7c9144f18e816ae0912f109d7a8afec0dbc1d2b6d",
            "import_time": "2026-06-26T10:34:51.115208299Z",
            "source": "kam193",
            "modified_time": "2026-06-26T09:19:57.58757Z",
            "versions": [
                "1.0.0",
                "1.0.1"
            ],
            "id": "pypi/2026-06-easyaillm/openblox"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / openblox

Package

Name: openblox; View open source insights on deps.dev
Purl: pkg:pypi/openblox

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/openblox/MAL-2026-6504.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "9642d796ea560a75e7c742f0890747c67b7afa2b16010874bcdec1081f4a6b983772ed",
            "sha256": "5373dd42ec3c14a56bcd46e8b7f076a1f44a1db64cde899550525d9fea186550",
            "path": "setup.py"
        }
    ],
    "package_integrity": [
        {
            "filename": "openblox-1.0.1.tar.gz",
            "hashes": {
                "sha256": "992ac4caa31827527eb2f98191b37a3b97cafb272f1a0ca232aedb715c807123",
                "md5": "bfb0e7c1db674fbdbab5d397c45e563a",
                "blake2b_256": "74dd05f08a8bcf39fd46327acb3ed7fcf340f5d541c92eb3e6e8aee704959782"
            }
        }
    ]
}