MAL-2026-6558

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fsociety-tools/MAL-2026-6558.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6558
Published
2026-06-28T11:03:41Z
Modified
2026-06-29T07:16:42.992037278Z
Summary
Malicious code in fsociety-tools (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (88731d75288f663967fc64dde12b04eb43a2eb3d4113486bf35b1cf3d89ae537)

On import, fsocietytools/init.py loads tokens.py, which at module load time instantiates TokenManager(). The constructor concatenates eight large string chunks, base64-decodes the result, XOR-decrypts the bytes with key 66, writes the decoded Windows executable to %TEMP%\fsociety.tmp, and launches it via subprocess.Popen with shell=True and creationflags=0x08000000 (CREATENOWINDOW) so no console window appears. The surrounding TokenManager/validatetoken/TokenAPI scaffolding and the package's self-description as 'Security and penetration testing utilities for ethical hackers' (with a Mr. Robot themed author identity) are cover for the dropper: the advertised CLI only prints fake Discord-shaped tokens, while the real effect of import fsociety_tools (or invoking the installed fsociety console script, which imports the package) is materialization and silent execution of an opaque embedded PE on Windows. Splitting the payload across multiple variables, base64+XOR encoding, hidden-window execution, and a decoy benign API together constitute an unambiguous import-time binary dropper.

Source: kam193 (a6cc8226dddc34465de607c5b458e927a11942543cc17b30a5ca125abce2e81b)

During import, package executes the embedded executable. It is an infostealer named internally as "NBSteal", focused on exfiltrating data from browsers, Telegram, Discord, Roblox and other gaming platforms, and other credentials.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-discord-token-generator

Reasons (based on the campaign):

  • infostealer

  • files-exfiltration

  • obfuscation

  • exfiltration-browser-data

  • malware

  • target:telegram

  • exfiltration-credentials

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0",
                "1.0.1",
                "1.0.2"
            ],
            "sha256": "a6cc8226dddc34465de607c5b458e927a11942543cc17b30a5ca125abce2e81b",
            "source": "kam193",
            "modified_time": "2026-06-28T11:03:41.542036Z",
            "import_time": "2026-06-28T11:37:31.068682642Z",
            "id": "pypi/2026-06-discord-token-generator/fsociety-tools"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "f49bb412c3e105392fa2cd4c245f0ea81b26b2b7bfaa5f5804df48e745e2a97d",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-06-29T05:50:28Z",
            "source": "amazon-inspector",
            "import_time": "2026-06-29T07:09:10.228790657Z",
            "id": "IN-MAL-2026-007755"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "88731d75288f663967fc64dde12b04eb43a2eb3d4113486bf35b1cf3d89ae537",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-29T05:50:17Z",
            "import_time": "2026-06-29T07:09:10.158145401Z",
            "id": "IN-MAL-2026-007754"
        }
    ],
    "iocs": {
        "urls": [
            "https://nbbtest.bnfdkfq156.workers.dev/"
        ],
        "domains": [
            "nbbtest.bnfdkfq156.workers.dev"
        ]
    }
}
References
Credits

Affected packages

PyPI / fsociety-tools

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0
1.0.1
1.0.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "fsociety_tools-1.0.1-py3-none-any.whl",
            "hashes": {
                "sha256": "96a3a7368a87257d1bda9ba05a42a06a40e877bd6ab40b341418056ff8cfa263",
                "md5": "db971f2f5a5eed4d5b729af9e756fcbe",
                "blake2b_256": "c8e11549dd5d6f30eea6a9811dc46842ca6a3b99b59c7c4dd1853ba5e9cc0078"
            }
        },
        {
            "filename": "fsociety_tools-1.0.1.tar.gz",
            "hashes": {
                "sha256": "aea3fdeee76170028e9a07d29d519eb79c629e895840e35c0b86e8f97f4d024f",
                "md5": "11926a0751e0012919e32c2a15195589",
                "blake2b_256": "274098413e3efd8f7d2f40a47a505fa1dc90c65580f597ff2d23a07a2a9bf704"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e20b006099ef352ca8b4d2e7f01a3e33342e7bff5a6025b5e294ad81865d37ee",
            "path": "fsociety_tools/tokens.py",
            "tlsh": "c9731973e905036bdb1e01455eb4cf5fa4522722f202ddd8390a38999ffe66f12e482b"
        },
        {
            "sha256": "90eb6152f3dac7638ad0beaa0f92305e782632abc3113ba2e21ed08029e87e07",
            "path": "setup.py",
            "tlsh": "0911544ac5a8adb412d2c1562c6599ae45f9e4172fae30cc739c42082f4d2ff537615d"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fsociety-tools/MAL-2026-6558.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]