pypi · Malicious package advisory
Malwareequest
MAL-2026-6289
Malicious code in equest (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cfe07e7f1e241dde491d3d6f5553ed2247a6f8e1dfdf34b0eaa9943a2cba5094) The package name `equest` is a one-character deletion of the widely-used `requests` package and ships no functional library code. setup.py registers custom install and egg_info cmdclasses so that on `pip install` or `pip download`, the package collects the full process environment (`os.environ` serialized as `key=value` pairs) and the output of `ps -elf`, then POSTs both to `http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun` via curl over plaintext HTTP. The destination is an Interactsh (oast.fun) collector subdomain controlled by the publisher. Any CI/build secrets present in the installer's environment at install time (cloud credentials, registry tokens, GitHub tokens, database credentials) are leaked to the attacker, and the running process list reveals additional host context. The README self-describes the package as a proof-of-concept of arbitrary code execution via `pip install`. ## Source: kam193 (293431a944f3eb8829d76e452763b22243f23990da542630767c3f1431e92dc1) During installation, the package exfiltrates env variables --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-ip-rotat Reasons (based on the campaign): - The package overrides the install command in setup.py to execute malicious code during installation. - exfiltration-env-variables - typosquatting
Compromised versions (1)
- 0.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.