VYPR

pypi · Malicious package advisory

Malware

jsonschema-viewer

MAL-2026-6248

Malicious code in jsonschema-viewer (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3692022b4caf5ac51d868aaae58e793520ac3bd36703841eb615942baf85bb87)
The package's only function — main() in src/jsonschema_viewer/main.py, registered as the `jsonschema-viewer` console script — invokes os.system to fetch a shell script from http://49.232.169.67:8084/slt via curl or wget and pipes the response into `sh`. The fetch uses plaintext HTTP to a bare IP with no pinning, no hash verification, and an opaque payload, and bears no relationship to the package's advertised purpose ('A minimal jsonschema-viewer package'). Author metadata is the placeholder 'Your Name' with no email/URL and the README is a single empty sentence, consistent with a throwaway dropper package. Any developer who installs this package and runs the documented CLI executes arbitrary attacker-controlled code on their machine.

## Source: kam193 (76cad60a803b91e4da8eb438787ca5f044fd3deafedef5de1fdb4e92bd8fd9e1)
Package configures an entry point (command line) that executes a remote script. It then downloads a next stage malware, which acts as next dropper for a fileless malware.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-jsonschema-viewer


Reasons (based on the campaign):


 - malware


 - Downloads and executes a remote executable.


 - Downloads and executes a remote malicious script.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.