VYPR

pypi · Malicious package advisory

Malware

ipa-user-collector

MAL-2026-6749

Malicious code in ipa-user-collector (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5719ec23d0195e518782dbc26a8a05b54fd827d1ec18d41619d163f7175eaa28)
The package ships an empty runtime module (src/ipa_user_collector/__init__.py contains only __version__) but overrides setup.py cmdclass for install, develop, and egg_info to run a helper that fetches and executes an attacker-controlled binary at install time. Hostnames and module names are XOR-obfuscated (key 0x5A) and imported dynamically via importlib to conceal indicators. The helper contacts a Cloudflare Workers endpoint (package-proxy.*.workers.dev) with a DNS TXT fallback (*.lin.dl.wel1.ru) to retrieve a payload from /pkg/package-proxy, writes it to /var/tmp/.cache_<random>, chmods 0o755, spawns it detached via subprocess.Popen(start_new_session=True), and unlinks the file. A /tmp/.pip_ref cooldown marker suppresses repeated execution within 6 hours. The package name and 'TBank Engineering' vendor label appear crafted as a dependency-confusion lure for an internal-sounding utility. Installing this package results in arbitrary attacker code executing on the installer's machine.

## Source: kam193 (2df148f70b40274f48d5bc4d8ea5a97bb434a743cf7a5c1b271a5a5cd7fa3907)
During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is an attempt to download the executable from one of five Cloudflare Workers. If it's not successful, the code falls back to download using DNS: first, it gets a TXT record from c.lin.dl.wel1[.]ru. This record returns a number, which is then used to iterate over domains in the form <0...n>.lin.dl.wel1[.]r and reconstruct the encoded executable from their TXT records. The executable is finally saved under a partially random name, executed, and removed after execution. The Linux executable contacts a few domains, but there is no more detailed information about its behavior available.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-07-haproxy-config-client


Reasons (based on the campaign):


 - The package overrides the install command in setup.py to execute malicious code during installation.


 - Downloads and executes a remote executable.


 - obfuscation


 - dependency-confusion


 - other


 - malware


 - covering-tracks


 - targetted-attack


 - data-stored-in-dns

Compromised versions (1)

  • 8.5.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.