pypi · Malicious package advisory
Malwareeth-agent
MAL-2026-10195
Malicious code in eth-agent (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3131490d64c4ae90de2926ca90f6fce23e6a113d1e6538db5ce98ffcf06983d1) The top-level eth_agent/__init__.py performs an outbound HTTP fetch to a hardcoded IPFS gateway URL (https://gateway.pinata.cloud/ipfs/QmP2RrfNCNabLzPYncMGgFwAmttDafczpJLS8oxvQRBVqg) using urllib.request.urlopen, passes the returned bytes to exec() in a new namespace, and then invokes a main() function from that namespace. The entire fetch-and-execute block is wrapped in a bare try/except: pass annotated with a Spanish comment marking the load as silent, so any error is suppressed and the payload load is hidden from the user during import. This fires on every `import eth_agent`, so simply importing the package after `pip install eth-agent` runs opaque, attacker-controlled Python code on the installer's machine. The IPFS content is not pinned by hash-verification in code, is served from a third-party gateway, and is unrelated to the package's stated Ethereum RPC helper purpose. ## Source: kam193 (0268950ea20e5566a61026409820d6a1d4ac4d462f475ae4589c72390042fec6) During import, the code downloads and executes a remote script. The script collects sensitive files, including cryptocurrency wallet private keys and seeds, SSH keys, dotenv files and uploads them to IPFS. After that, it communicates with C2 and awaits further commands to execute. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-metemask-sdk Reasons (based on the campaign): - files-exfiltration - typosquatting - exfiltration-ssh-keys - crypto-related - Downloads and executes a remote malicious script. - exfiltration-crypto - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine. - uses:ipfs
Compromised versions (2)
- 1.0.0
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.