VYPR

pypi · Malicious package advisory

Malware

extra-huggingface

MAL-2026-6489

Malicious code in extra-huggingface (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c76a4e01b00801049375b9e60419bfba79f9b0afbb02aab5b4117f989296c5d3)
The package presents itself as part of the Hugging Face ecosystem but actually ships a remote-access agent. `extra_huggingface/__init__.py` re-exports `run_agent`, `run_task`, `agent_info`, and a `persistence` primitive from a bundled 8.5 MB Windows PE module `extra_huggingface/_native.pyd`. The CLI hardcodes `DEFAULT_SERVER = "http://91.92.40.212:8080"` and provides subcommands `run`, `install-autostart`, `remove-autostart`, and `autostart-status`. When invoked, `run_agent(server=...)` polls the attacker-controlled server at 91.92.40.212:8080 and dispatches tasks delivered by that server on the installer's machine; `install_autostart()` calls the native `persistence("install", server)` to register the agent for execution after login/boot so the C2 connection survives reboot. The actual networking, command dispatch, and persistence logic live in the opaque native binary, with the Python layer acting as a thin shim. The package name impersonates the popular `huggingface`/`huggingface_hub` namespace while the metadata homepage is the placeholder `github.com/example/extra_huggingface`, consistent with a typosquat lure targeting ML developers.

## Source: kam193 (4ebe54bed2c64bd1c1da46c59e7f1c4bb35b0ca64f9bbe5529c63a7a82eaef7c)
When starting the module, package activates RAT-capabilities, which includes exfiltrating sensitive data. Though the package is claimed to be for educational usage, the name and default actions suggest different intentions.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-extra-huggingface


Reasons (based on the campaign):


 - rat


 - exfiltration-browser-data


 - typosquatting


 - native-extension


 - persistence


 - infostealer

Compromised versions (1)

  • 0.4.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.