pypi · Malicious package advisory
Malwarehorde-python-client
MAL-2026-6734
Malicious code in horde-python-client (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f2ae9afcd7af22c82b137c1142ae643502d82f3d1f28712b2e5c7ec412bea85e) horde-python-client 99999.0.0 is a dependency-confusion lure. On `import horde_python_client`, a daemon thread unconditionally POSTs a JSON payload containing the host's hostname, the USER/USERNAME environment variable, and the current working directory to http://109.123.247.172/pypi over plain HTTP. The destination is a bare IP unrelated to any legitimate package publisher. The package ships with placeholder metadata (description "Internal package", author "Security Research") and an absurdly high version number (99999.0.0) — the canonical shape for overriding a target organization's private package of the same name in resolver precedence. Installer harm: any developer or build system that resolves this package and imports it leaks host identifiers to the attacker, confirming a successful dependency-confusion hit and enabling follow-on targeting. ## Source: kam193 (ad72fe1fdc56e7fb5716a906fb8481bfe1e477d2f97c649d5db853a79130628a) Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities. Campaign: GENERIC-standard-pypi-install-pentest Reasons (based on the campaign): - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - The package overrides the install command in setup.py to execute malicious code during installation.
Compromised versions (1)
- 99999.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.