pypi · Malicious package advisory
Malwareip-rotat
MAL-2026-6280
Malicious code in ip-rotat (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e85ab2724beee13bb6c2658c5bf5d50069c83619f062d39935226ff1fee1c0a3) On `pip install` or `pip download`, setup.py registers overridden `install` and `egg_info` cmdclass entries that execute `ps -elf` to capture the host's process listing and iterate the entire `os.environ` mapping into a URL-encoded body, then POST the combined payload via curl to `http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun` over plaintext HTTP. Bulk env scraping at install time leaks any CI/CD secrets present in the environment (AWS keys, GitHub/npm/PyPI tokens, etc.) along with a system-wide process listing. The package ships no actual ip-rotation functionality — setup.py contains only the exfiltration payload, the package name `ip_rotat` is a one-character truncation of common `ip-rotator`-style libraries, and the README references the `this_is_fine_wuzzi` install-time-code-execution PoC. The combination of name confusion, zero advertised functionality, and an automatic install-time exfil hook is a supply-chain attack against any installer. ## Source: kam193 (a7a8225ea0ef3ae5d58eed407fa3e3af246d4e246125598ce5e6720fc4e47e5d) During installation, the package exfiltrates env variables --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-ip-rotat Reasons (based on the campaign): - The package overrides the install command in setup.py to execute malicious code during installation. - exfiltration-env-variables - typosquatting
Compromised versions (1)
- 0.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.