pypi · Malicious package advisory
Malwareepic-build-scripts
MAL-2026-6733
Malicious code in epic-build-scripts (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (14d466b50466bb93e6e9130d18e67b680c7255beecafe16043dc5ee51bfec886) On `import epic_build_scripts`, the package's top-level __init__ spawns a background thread that POSTs a JSON payload containing socket.gethostname(), the USER/USERNAME environment variable, and os.getcwd() to the hardcoded bare-IP HTTP endpoint http://109.123.247.172/pypi. The beacon fires automatically whenever the module is loaded, with no user consent, no documented purpose, no configurability, and errors are silently swallowed. The destination is a plaintext-HTTP bare IP unrelated to any publisher infrastructure, and the collected fields are installer host-identity reconnaissance data typical of the initial-recon stage of a supply-chain attack. ## Source: kam193 (93043b3f00a64c66fb0680256387471b656f222556c282c9cb1680347f14fae8) Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities. Campaign: GENERIC-standard-pypi-install-pentest Reasons (based on the campaign): - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - The package overrides the install command in setup.py to execute malicious code during installation.
Compromised versions (1)
- 99999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.