VYPR

pypi · Malicious package advisory

Malware

epic-build-scripts

MAL-2026-6733

Malicious code in epic-build-scripts (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (14d466b50466bb93e6e9130d18e67b680c7255beecafe16043dc5ee51bfec886)
On `import epic_build_scripts`, the package's top-level __init__ spawns a background thread that POSTs a JSON payload containing socket.gethostname(), the USER/USERNAME environment variable, and os.getcwd() to the hardcoded bare-IP HTTP endpoint http://109.123.247.172/pypi. The beacon fires automatically whenever the module is loaded, with no user consent, no documented purpose, no configurability, and errors are silently swallowed. The destination is a plaintext-HTTP bare IP unrelated to any publisher infrastructure, and the collected fields are installer host-identity reconnaissance data typical of the initial-recon stage of a supply-chain attack.

## Source: kam193 (93043b3f00a64c66fb0680256387471b656f222556c282c9cb1680347f14fae8)
Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.


---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.


Campaign: GENERIC-standard-pypi-install-pentest


Reasons (based on the campaign):


 - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.


 - The package overrides the install command in setup.py to execute malicious code during installation.

Compromised versions (1)

  • 99999.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.