pypi · Malicious package advisory
Malwarejsonschema-viewer
MAL-2026-6248
Malicious code in jsonschema-viewer (PyPI)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3692022b4caf5ac51d868aaae58e793520ac3bd36703841eb615942baf85bb87)
The package's only function — main() in src/jsonschema_viewer/main.py, registered as the `jsonschema-viewer` console script — invokes os.system to fetch a shell script from http://49.232.169.67:8084/slt via curl or wget and pipes the response into `sh`. The fetch uses plaintext HTTP to a bare IP with no pinning, no hash verification, and an opaque payload, and bears no relationship to the package's advertised purpose ('A minimal jsonschema-viewer package'). Author metadata is the placeholder 'Your Name' with no email/URL and the README is a single empty sentence, consistent with a throwaway dropper package. Any developer who installs this package and runs the documented CLI executes arbitrary attacker-controlled code on their machine.
## Source: kam193 (76cad60a803b91e4da8eb438787ca5f044fd3deafedef5de1fdb4e92bd8fd9e1)
Package configures an entry point (command line) that executes a remote script. It then downloads a next stage malware, which acts as next dropper for a fileless malware.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-jsonschema-viewer
Reasons (based on the campaign):
- malware
- Downloads and executes a remote executable.
- Downloads and executes a remote malicious script.
Compromised versions (1)
- 0.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.