pypi · Malicious package advisory
Malwaretoorc
MAL-2026-6290
Malicious code in toorc (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2cfd36909e089f17439dd3227c6f5ccef2fef2964dc26bbdbaaef0481b54615d) On `pip install` (and even `pip download`), the package's setup.py overrides the `install` and `egg_info` commands to execute a RunCommand() routine that serializes every entry in `os.environ` into a key=value query string and captures the output of `ps -elf`. The combined payload is then POSTed via curl over plaintext HTTP to `http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun`, a unique subdomain on the public interactsh out-of-band testing service. Any CI/build secrets present in the environment at install time (AWS_*, GITHUB_TOKEN, NPM_TOKEN, CI provider tokens, etc.) leak to the attacker-controlled OAST listener, along with a snapshot of running processes on the host. ## Source: kam193 (02334bfe46d6509e7900323066c5bb2eda0d5a34a6906cee5ccca3abaecb3ade) During installation, the package exfiltrates env variables --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-ip-rotat Reasons (based on the campaign): - The package overrides the install command in setup.py to execute malicious code during installation. - exfiltration-env-variables - typosquatting
Compromised versions (1)
- 0.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.