VYPR

pypi · Malicious package advisory

Malware

fkaks

MAL-2026-6382

Malicious code in fkaks (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e44e1f1158eda01d3f18e3a3c01e30ebc9f8f92780ea532a63cf6ed31d8a25d3)
fkaks 0.0.1 ships a setup.py that overrides the install and egg_info commands so that any `pip install` or `pip download` of the package unconditionally executes a curl POST to a hardcoded out-of-band collector at http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun. The POST body is built by iterating the entire `os.environ` mapping (`env_vars_string = "&".join([f"{key}={value}" for key, value in env_vars.items()])`) and concatenating it with the output of `ps -elf`, harvesting whatever secrets the installer or CI host has in environment variables (cloud credentials such as AWS_*, GitHub/registry tokens, CI secrets, SSH agent paths) along with a full process listing. The transport is plaintext HTTP to an interactsh-style oast.fun subdomain — infrastructure typical of OOB exfiltration callbacks. The README's framing of the package as a demo of automatic code execution on pip install does not change the on-the-wire behavior: every installer is attacked.

## Source: kam193 (69b5a350ae8e5977b5d55e55ac57fb8d3e7c5b72b9d026596ffafeae8996daaf)
During installation, the package exfiltrates env variables


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-ip-rotat


Reasons (based on the campaign):


 - The package overrides the install command in setup.py to execute malicious code during installation.


 - exfiltration-env-variables


 - typosquatting

Compromised versions (1)

  • 0.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.