VYPR

pypi · Malicious package advisory

Malware

toorc

MAL-2026-6290

Malicious code in toorc (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2cfd36909e089f17439dd3227c6f5ccef2fef2964dc26bbdbaaef0481b54615d)
On `pip install` (and even `pip download`), the package's setup.py overrides the `install` and `egg_info` commands to execute a RunCommand() routine that serializes every entry in `os.environ` into a key=value query string and captures the output of `ps -elf`. The combined payload is then POSTed via curl over plaintext HTTP to `http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun`, a unique subdomain on the public interactsh out-of-band testing service. Any CI/build secrets present in the environment at install time (AWS_*, GITHUB_TOKEN, NPM_TOKEN, CI provider tokens, etc.) leak to the attacker-controlled OAST listener, along with a snapshot of running processes on the host.

## Source: kam193 (02334bfe46d6509e7900323066c5bb2eda0d5a34a6906cee5ccca3abaecb3ade)
During installation, the package exfiltrates env variables


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-ip-rotat


Reasons (based on the campaign):


 - The package overrides the install command in setup.py to execute malicious code during installation.


 - exfiltration-env-variables


 - typosquatting

Compromised versions (1)

  • 0.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.