pypi · Malicious package advisory
Malwarehttpprobe
MAL-2026-6758
Malicious code in httpprobe (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cb46b890b54f51f3a98c1935dbd50e143430757c5daf4080039d32865b04c1d5) The package advertises itself as an 'HTTP probing tool for security researchers' but contains no HTTP-probing functionality. Its only behavior is to fetch and execute a Windows PE binary named 'mirai_agent.exe' from a hardcoded Tor hidden service (sytej5umomwukd77aantkxqj4aoke3kfist6eyne2pngavgsakum3iid.onion), with a localhost fallback. Two independent execution paths deliver the payload: (1) setup.py overrides the install command with a PostInstall class that spawns a background thread on `pip install` to download the binary, write it to a Microsoft-look-alike path under %TEMP%/MS/Update/agent.exe, set hidden+system file attributes via SetFileAttributesW, and launch it via CreateProcessW with CREATE_NO_WINDOW; (2) httpprobe/__init__.py exposes a main() that performs the same fetch-stage-hide-execute sequence at import time via CreateProcessW or subprocess.Popen. The duplicated install-time and import-time execution paths ensure code execution on the installer's Windows machine regardless of whether the package is installed or later imported by a consumer. The Microsoft-look-alike staging path, hidden+system attributes, no-window flag, and Tor-only delivery are all consistent with intent to persist an attacker-controlled binary on the developer's machine. ## Source: kam193 (5a1fef079efe68484b2d37fb2e1bb3d0cebfeccf27a8a0f9b1e8436e664ea42e) If run as a module and during installation, the package attempts to download and start an executable described as a Mirai agent. During analysis, the Onion website hosting executable was not available. Using Onion and localhost fallback suggests the package was not yet ready to deliver malicious actions to the end users. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-httpprobe Reasons (based on the campaign): - Downloads and executes a remote executable. - The package overrides the install command in setup.py to execute malicious code during installation.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.