VYPR

pypi · Malicious package advisory

Malware

confighub

MAL-2026-6752

Malicious code in confighub (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (805d9b5848999d2ba85368446cb12d90bf350b8201a78dd475079c04f180dd81)
confighub 7.0.1 declares install_requires=['procwire'] and imports procwire at package load in __init__.py under a version gate that silently swallows ImportError (try: import procwire as _pw except ImportError: pass). procwire is not referenced anywhere in confighub's own code (loader.py, manager.py) and is not mentioned in the README or API documentation. confighub's own code is benign, but installing confighub forces resolution and import of an undocumented sibling package whose behavior determines the actual installer-side risk. If procwire is attacker-controlled or malicious, confighub acts as the delivery vector; if procwire is a benign helper, this is only a documentation/hygiene issue. Human review of procwire itself is required to determine whether this is a dependency-based dropper or an undisclosed but benign split.

## Source: kam193 (7c0b6d6eae8eecdf0317e7d4c624ff2a1eee1ca58c92c6b4fac34dd2567f4556)
This package depends on malicious 'procwire', which starts malicious actions during installation.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-07-procwire


Reasons (based on the campaign):


 - The package overrides the install command in setup.py to execute malicious code during installation.


 - Downloads and executes a remote executable.


 - obfuscation


 - The malicious code is intentionally included in a dependency of the package


 - malware


 - steganography

Compromised versions (2)

  • 7.0.1
  • 7.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.