pypi · Malicious package advisory
Malwareturbocalcng
MAL-2026-10441
Malicious code in turbocalcng (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (58f668de627f83b0348d681edd090804f202add609fdc9a3c671f987608fb448) turbocalcng/__init__.py imports arithmetic.py, which — beneath a facade of arithmetic helpers — contains an XOR-obfuscated in-memory native code execution path reachable at import time. A helper iReferringj(k,d) XOR-decodes byte lists into the strings 'base64', 'ctypes', 'mmap', 'threading', 'CFUNCTYPE', 'Thread', 'daemon', 'start', etc., and resolves them dynamically via getattr / __import__ / importlib.util.spec_from_file_location to hide the dangerous imports from static review. The reachable loader allocates an RWX region with mmap.mmap(-1, size, prot=7, flags=34), writes decoded bytes into it, casts the region's address through ctypes.CFUNCTYPE and invokes it inside a daemon threading.Thread — executing attacker-supplied native code in the installer's Python process on `import turbocalcng`. The obfuscation of core module names alongside the RWX + function-pointer-cast + thread-start primitive is characteristic of hostile shellcode injection, not any legitimate arithmetic functionality. ## Source: kam193 (42db7e152a9be09d9e9dbd0db5242957ff335922fbc9cf430d406cff396a063f) During import an obfuscated code starts in-memory functions from a binary blob; after that, it communicates with dockfinancial[.]lu, the exact behaviour is unknown. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-turbocalc Reasons (based on the campaign): - obfuscation - other
Compromised versions (2)
- 0.1.0
- 0.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.