VYPR

pypi · Malicious package advisory

Malware

schemavault

MAL-2026-6753

Malicious code in schemavault (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4ae0aa9efa2a8389cfe9d5c41d5ab3689f4965c945a24613493f94f9de033ab1)
schemavault 4.1.0 is presented as a schema-validation library but ships capabilities and data that have no relationship to schema validation. schemavault/_registry.py defines three underscore-prefixed byte arrays: `_ep` (36 bytes), `_p` (7 bytes), and `_k` (16 hex constants shaped like a symmetric key). None of these names are read anywhere in the schemavault package. schemavault/imaging.py exports `extract_metadata()`, an LSB steganography decoder that reads a length-prefixed hidden string from the shipped asset `schemavault/assets/logo.bmp` (first 16 bits = length, then length*8 bits of pixel-LSB characters); this function is likewise not invoked from anywhere in schemavault. setup.py declares `install_requires=['bytekit']` — an unpinned, generically named dependency unrelated to schema validation. The pattern is a two-package split: the primary package holds encoded payload material and a decoder utility, and the unpinned generically-named dependency is positioned to be the loader that actually decodes and executes the staged content on install or import. Because pip resolves `bytekit` without a version pin from whichever registry is configured, `pip install schemavault` pulls attacker-controlled code into the installer's environment. The dormant carrier data + LSB decoder + unrelated unpinned loader dep together match the staged-dropper shape rather than any legitimate schema-library composition.

## Source: kam193 (2af83487d12e2c9e16e3a5fae1ac369bacd5d39622a04c537edd0dbdda4a143a)
The campaign consists of multiple packages. The trigger sits in the package 'procwire,' which depends on two others. During installation, procwire uses schemavault and bytekit packages. The first one holds the URL holding malware (in two places, once as steganography in the bundled image and once as a fallback just as a list of encoded bytes). The bytekit implements simple custom decoding used to retrieve back the URL in the fallback method. Additionally, procwire is also a dependency of confighub, turning another package into malware. The downloaded executable is run and quickly removed. The executable likely contains an infostealer and contacts the domain 030502[.]xyz


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-07-procwire


Reasons (based on the campaign):


 - The package overrides the install command in setup.py to execute malicious code during installation.


 - Downloads and executes a remote executable.


 - obfuscation


 - The malicious code is intentionally included in a dependency of the package


 - malware


 - steganography

Compromised versions (2)

  • 4.1.0
  • 4.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.