VYPR

pypi · Malicious package advisory

Malware

fsociety-tools

MAL-2026-6558

Malicious code in fsociety-tools (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (88731d75288f663967fc64dde12b04eb43a2eb3d4113486bf35b1cf3d89ae537)
On import, fsociety_tools/__init__.py loads tokens.py, which at module load time instantiates TokenManager(). The constructor concatenates eight large string chunks, base64-decodes the result, XOR-decrypts the bytes with key 66, writes the decoded Windows executable to %TEMP%\fsociety.tmp, and launches it via subprocess.Popen with shell=True and creationflags=0x08000000 (CREATE_NO_WINDOW) so no console window appears. The surrounding TokenManager/validate_token/TokenAPI scaffolding and the package's self-description as 'Security and penetration testing utilities for ethical hackers' (with a Mr. Robot themed author identity) are cover for the dropper: the advertised CLI only prints fake Discord-shaped tokens, while the real effect of `import fsociety_tools` (or invoking the installed `fsociety` console script, which imports the package) is materialization and silent execution of an opaque embedded PE on Windows. Splitting the payload across multiple variables, base64+XOR encoding, hidden-window execution, and a decoy benign API together constitute an unambiguous import-time binary dropper.

## Source: kam193 (a6cc8226dddc34465de607c5b458e927a11942543cc17b30a5ca125abce2e81b)
During import, package executes the embedded executable. It is an infostealer named internally as "NBSteal", focused on exfiltrating data from browsers, Telegram, Discord, Roblox and other gaming platforms, and other credentials.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-discord-token-generator


Reasons (based on the campaign):


 - infostealer


 - files-exfiltration


 - obfuscation


 - exfiltration-browser-data


 - malware


 - target:telegram


 - exfiltration-credentials

Compromised versions (3)

  • 1.0.0
  • 1.0.1
  • 1.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.