VYPR

pypi · Malicious package advisory

Malware

ip-rotat

MAL-2026-6280

Malicious code in ip-rotat (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e85ab2724beee13bb6c2658c5bf5d50069c83619f062d39935226ff1fee1c0a3)
On `pip install` or `pip download`, setup.py registers overridden `install` and `egg_info` cmdclass entries that execute `ps -elf` to capture the host's process listing and iterate the entire `os.environ` mapping into a URL-encoded body, then POST the combined payload via curl to `http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun` over plaintext HTTP. Bulk env scraping at install time leaks any CI/CD secrets present in the environment (AWS keys, GitHub/npm/PyPI tokens, etc.) along with a system-wide process listing. The package ships no actual ip-rotation functionality — setup.py contains only the exfiltration payload, the package name `ip_rotat` is a one-character truncation of common `ip-rotator`-style libraries, and the README references the `this_is_fine_wuzzi` install-time-code-execution PoC. The combination of name confusion, zero advertised functionality, and an automatic install-time exfil hook is a supply-chain attack against any installer.

## Source: kam193 (a7a8225ea0ef3ae5d58eed407fa3e3af246d4e246125598ce5e6720fc4e47e5d)
During installation, the package exfiltrates env variables


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-ip-rotat


Reasons (based on the campaign):


 - The package overrides the install command in setup.py to execute malicious code during installation.


 - exfiltration-env-variables


 - typosquatting

Compromised versions (1)

  • 0.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.