VYPR
Vypr IntelligenceAI-generatedJun 15, 2026

PyPI: 16 Malicious Packages Drop in 16-Minute Window, All Share Version `2.2160.0` and C2 `fixars.top`

Sixteen malicious PyPI packages were disclosed in a 16-minute coordinated drop on June 15, 2026 — 14 sharing the identical version string `2.2160.0` and all communicating with the same C2 domain, `fixars.top`.

Key findings

  • 14 of 16 packages share the identical version string 2.2160.0, indicating a single automated publishing pipeline
  • All 16 advisories were published within a 16-minute window on 2026-06-15
  • Packages impersonate internal tooling from Mozilla, Intel, Google, Databricks, and Netflix
  • Every package communicates with fixars.top and uses mshta.exe or os.system() for command execution
  • The campaign targets Windows developer workstations via LOLBin techniques in setup.py install hooks
  • The impersonation targets suggest a broad-spectrum credential-harvesting campaign, not a single-organization focus

On June 15, 2026, 16 malicious PyPI packages were disclosed in a coordinated 16-minute window, all flagged between 17:24 and 17:40 UTC. The packages share a striking common signature: 14 of the 16 carry the exact same version string 2.2160.0, a suspiciously uniform release number that points to a single automated publishing pipeline. The remaining two packages — pyptllm (v0.2) and testpgagent (v0.2, v0.1) — were disclosed at the edges of the window but fit the same behavioral profile. No single popular package anchors the burst; instead, the story is the campaign itself: a coordinated drop of typosquatting and impersonation packages targeting internal tooling names from recognizable organizations, all communicating with the same command-and-control infrastructure.

The naming pattern is eclectic but revealing. Several packages impersonate internal Mozilla project tooling: mozautomation, merino-common, kinto-slack, scriptworker-client, and sl-pgp all echo legitimate Mozilla service names. Others target Intel's AI toolchain: intel-ai-safety, intel-ai-safety-explainer, llvm-aie, and mlir-aie — the latter two referencing the AI Engine (AIE) architecture used in Intel's FPGA tooling. gigl-core appears to impersonate Google's GIGL (Giant Global Graph) internal project. databricks-tools-core and dispatch-internal-plugins target Databricks and Netflix's Dispatch incident-management framework respectively. node-scraper is a generic tooling name, while hello-test-s1 and testpgagent read as test packages that may have been used for initial probing. The diversity of targets — Mozilla, Intel, Google, Databricks, Netflix — suggests a broad-spectrum campaign rather than a single-organization focus.

Every package was analyzed by the OpenSSF Package Analysis project, and the behavioral findings are consistent across the board. The packages execute commands via os.system() or invoke mshta.exe to download and run remote payloads. They communicate with fixars.top, a domain that appears in the behavioral telemetry of multiple packages in this burst. The post-install scripts — embedded in setup.py — fetch additional stages from this domain, establishing a persistent command-and-control channel. The use of mshta.exe is particularly notable: it's a Windows LOLBin (Living-off-the-Land Binary) that executes HTA (HTML Application) payloads, often used to bypass application allowlisting. This suggests the campaign targets developer workstations running Windows, a common environment for data engineers and ML practitioners who would be drawn to packages like intel-ai-safety or databricks-tools-core.

The severity is unambiguous. The GitHub Security Advisory (GHSA) boilerplate for these packages states that any system that installed these packages should be considered fully compromised. The malware gains arbitrary code execution on the victim's machine through the setup.py install hook, which runs automatically during pip install. From there, it can exfiltrate environment variables, SSH keys, cloud credentials, and API tokens. The impersonation targets — internal tooling packages for Mozilla, Intel, Databricks, and Google — suggest the attacker was specifically hunting for developers with access to those organizations' internal infrastructure. A developer who mistypes mozautomation or intel-ai-safety and installs the malicious package would expose not just their own credentials but potentially their employer's CI/CD secrets and cloud access tokens.

Developers should immediately audit their requirements.txt and pip freeze output for any of the 16 package names. The full list to check: intel-ai-safety-explainer, hello-test-s1, merino-common, node-scraper, dispatch-internal-plugins, llvm-aie, gigl-core, databricks-tools-core, mlir-aie, intel-ai-safety, sl-pgp, kinto-slack, mozautomation, scriptworker-client, pyptllm, and testpgagent. If any are found, rotate all secrets and credentials from a clean, separate machine. The malicious version 2.2160.0 is the primary indicator — any package with this version string should be treated as compromised. For gigl-core (v0.3.1), hello-test-s1 (v0.3.0, v0.3.1), and pyptllm (v0.2), the version numbers differ but the behavioral signature matches.

This burst fits a growing pattern of coordinated malicious package drops on PyPI. The 16-minute window is tight enough to suggest a single actor using automated publishing tooling, and the uniform version string 2.2160.0 across 14 packages is a rare operational fingerprint. The campaign's breadth — targeting five distinct organizations' internal tooling names — indicates a spray-and-pray approach rather than a focused supply-chain attack on any single entity. The use of fixars.top as a shared C2 domain and mshta.exe as a LOLBin delivery mechanism shows a level of tradecraft that has become increasingly common in PyPI malware campaigns throughout 2025 and 2026.

AI-written article. Grounded in 0 CVE records listed below.