MAL-2026-878
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/magichat/MAL-2026-878.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-878
- Published
- 2026-02-13T10:56:11Z
- Modified
- 2026-02-14T14:04:57.726808Z
- Summary
- Malicious code in magichat (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (42cf9a8fdfde42b15f94ed81efe1d74f692ce738f3819978b6760e46faf1e95c)
The package is prepared to download a hardcoded executable and save it in %LOCALAPPDATA% under a very generic name, clearly aiming to hide its existence. Code is also prepared to alter MarkOfTheWeb, start as admin and run the executable, but in analyzed versions this behavior was not triggered in any existing code path. The downloading will happen e.g. on starting the declared command line.
Remote executables are standalone applications or installators, including ClickOnce installators. However, in the analysis attempts, none of them showed clear malicious behavior, in most cases crashing during the analysis. Captured network traffic shows communication with the remote server and likely expects the URL of the next stage, which was not delivered from the server. Additionally, the code embeds a separate path for execution on non-Windows machines. It attempts to execute a remote script, but in analyzed versions, the domain used is already suspended and not reachable.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-02-magichat
Reasons (based on the campaign):
Downloads and executes a remote executable.
other
typosquatting
- Database specific
{ "iocs": { "urls": [ "https://www.dropbox.com/scl/fi/8g8j2g6ceuj12loonrxpu/Installer.exe?rlkey=9pi7bsdb31jlgxmntwde4j54h&st=3t69etqf&dl=1", "https://www.dropbox.com/scl/fi/itjqck6r0eivh655ijau9/DocSend.application?rlkey=gmbotpa64r8gqtbwiyo4wlfys&st=k0zrfnxe&dl=1" ], "domains": [ "doc-sendapplication.com" ] }, "malicious-packages-origins": [ { "import_time": "2026-02-13T11:44:07.974194887Z", "modified_time": "2026-02-13T10:56:11.411983Z", "source": "kam193", "sha256": "016f12f6cc3656294be9c8d11c1d07ef953f6c204a9d76b1d5ab21b8ad87b2a1", "id": "pypi/2026-02-magichat/magichat", "versions": [ "0.1.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.1.0", "1.1.1", "1.1.2" ] }, { "import_time": "2026-02-13T23:43:52.196017516Z", "modified_time": "2026-02-13T10:56:11.411983Z", "source": "kam193", "sha256": "42cf9a8fdfde42b15f94ed81efe1d74f692ce738f3819978b6760e46faf1e95c", "id": "pypi/2026-02-magichat/magichat", "versions": [ "0.1.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.1.0", "1.1.1", "1.1.2" ] }, { "import_time": "2026-02-14T01:38:16.026134075Z", "modified_time": "2026-02-14T00:52:47.961654Z", "source": "kam193", "sha256": "b44e51035841826fb293ba041756cd9e79a7053fbb129e71a28b0a871639fe94", "id": "pypi/2026-02-magichat/magichat", "versions": [ "0.1.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.1.0", "1.1.1", "1.1.2", "1.1.8" ] }, { "import_time": "2026-02-14T13:48:17.481880598Z", "modified_time": "2026-02-14T13:18:35.960251Z", "source": "kam193", "sha256": "a77c3922633d4ba65720dabe7737b3ae2afcbbf6ba28435f18ef85c3289f2c92", "id": "pypi/2026-02-magichat/magichat", "versions": [ "0.1.0", "1.0.1", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.1.0", "1.1.1", "1.1.2", "1.1.8", "1.2.2" ] } ] }- References
-
- https://tria.ge/260212-z9ndmabs3b
- https://bad-packages.kam193.eu/pypi/package/magichat
- https://www.virustotal.com/gui/file/703439f496bded646bb01b62d2cec96f713346a5e38249cdcab4b4840ea56aa9/detection
- https://app.any.run/tasks/6c406e3e-5a9b-4019-8427-8be8b30e284a
- https://tria.ge/260213-22j3cah18b/behavioral1
- Credits
-
-
- Kamil Mańkowski (kam193) - ANALYST
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / magichat
Package
- Name
- magichat
- View open source insights on deps.dev
- Purl
- pkg:pypi/magichat