VYPR

pypi · Malicious package advisory

Malware

turbocalcng

MAL-2026-10441

Malicious code in turbocalcng (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (58f668de627f83b0348d681edd090804f202add609fdc9a3c671f987608fb448)
turbocalcng/__init__.py imports arithmetic.py, which — beneath a facade of arithmetic helpers — contains an XOR-obfuscated in-memory native code execution path reachable at import time. A helper iReferringj(k,d) XOR-decodes byte lists into the strings 'base64', 'ctypes', 'mmap', 'threading', 'CFUNCTYPE', 'Thread', 'daemon', 'start', etc., and resolves them dynamically via getattr / __import__ / importlib.util.spec_from_file_location to hide the dangerous imports from static review. The reachable loader allocates an RWX region with mmap.mmap(-1, size, prot=7, flags=34), writes decoded bytes into it, casts the region's address through ctypes.CFUNCTYPE and invokes it inside a daemon threading.Thread — executing attacker-supplied native code in the installer's Python process on `import turbocalcng`. The obfuscation of core module names alongside the RWX + function-pointer-cast + thread-start primitive is characteristic of hostile shellcode injection, not any legitimate arithmetic functionality.

## Source: kam193 (42db7e152a9be09d9e9dbd0db5242957ff335922fbc9cf430d406cff396a063f)
During import an obfuscated code starts in-memory functions from a binary blob; after that, it communicates with dockfinancial[.]lu, the exact behaviour is unknown.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-07-turbocalc


Reasons (based on the campaign):


 - obfuscation


 - other

Compromised versions (2)

  • 0.1.0
  • 0.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.