Vulnerability-Lookup

MAL-2026-4231

Vulnerability from ossf_malicious_packages

Published

2026-05-22 00:50

Modified

2026-05-26 05:55

Summary

Malicious code in pylogfmt (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (34bc39125496330ed9b38f1f6d7f06db7e150d83144f9d7e1e04552112851c4a)

On import pylogfmt, the package's init.py spawns a detached background subprocess (subprocess.Popen([sys.executable, '_check.py'], stdout=DEVNULL, stderr=DEVNULL)) that runs an infinite loop POSTing the package install path to https://pypkg.dev/project/pylogfmt/json every 60 seconds with TLS verification explicitly disabled. The HTTP response body is base64-decoded and dispatched to a worker thread (threading.Thread(target=check, args=(package_list.decode(),))), which is the canonical remote-payload-dispatcher shape — the operator controls returned bytes and the client decodes and feeds them into a handler. The destination domain pypkg.dev is a lookalike of pypi.org/pypa with no relation to the package's declared logging-library purpose. Output suppression (DEVNULL on both streams), undocumented behavior (README advertises only a logging helper), TLS bypass, and lookalike C2 destination together are unambiguous attack signals. Any consumer that imports pylogfmt as a library leaks their install path to attacker infrastructure on a 60-second polling interval and is one server-side change away from arbitrary remote code execution.

Source: kam193 (ba18f7e82fa8d07985ef44f6ce5a8d4b7759f2e348b6ba073bba4dd463740d8e)

Package silently executes remote code during import.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-lognest

Reasons (based on the campaign):

Downloads and executes a remote malicious script.

CWE

CWE-506 - The product contains code that appears to be malicious in nature.

Credits

Amazon Inspector actran@amazon.com

Kamil Mańkowski (kam193) github.com/kam193 bad-packages.kam193.eu/

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "pylogfmt/_check.py",
              "sha256": "bf5431f15ed16df0384db105c13709524efef7e88dc0df417e3dc6011a7b6879",
              "tlsh": "53210216a91c00e6e3424956c811a6185337fc0f6641c6b0faed93a01fd8576c2f3686"
            },
            {
              "path": "pylogfmt/__init__.py",
              "sha256": "9d76c45fdb04524dc4f0dcbdb1b7148f336b2fcf78361bc7dc0aab2aea7bd90b",
              "tlsh": "2c01c06a8b1f6167416ec6a8600b07206792c5c7df5a80f471dcb3b42f8b97a15dd42d"
            }
          ],
          "package_integrity": [
            {
              "filename": "pylogfmt-0.1.0-py3-none-any.whl",
              "hashes": {
                "blake2b_256": "86be5dde1fc76f3470cfdb6dff75fea205581404e0b60b187cc3546f907af3ea",
                "md5": "8f2c1c7f071f6efb62feee412c51fbea",
                "sha256": "29f0ec17a0528bda8df8026303f283339c045a1f0915c3e325278559a6aa8935"
              }
            },
            {
              "filename": "pylogfmt-0.1.0.tar.gz",
              "hashes": {
                "blake2b_256": "f744f1e217ffa3bcaac548d218af31a4175477a32066fb60d8e73ee40183f381",
                "md5": "7c82e7e862c8010da69c43f19cd75d23",
                "sha256": "eccbb4d087e47b9734f84a0b70103000f98b24951c0e2f1dfb012bbc52cdc21c"
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "pylogfmt"
      },
      "versions": [
        "0.1.0"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "actran@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    },
    {
      "contact": [
        "https://github.com/kam193",
        "https://bad-packages.kam193.eu/"
      ],
      "name": "Kamil Ma\u0144kowski (kam193)",
      "type": "REPORTER"
    }
  ],
  "database_specific": {
    "iocs": {
      "domains": [
        "pypkg.dev"
      ],
      "urls": [
        "https://pypkg.dev/project/logger/json"
      ]
    },
    "malicious-packages-origins": [
      {
        "id": "pypi/2026-05-lognest/pylogfmt",
        "import_time": "2026-05-22T01:45:39.363126729Z",
        "modified_time": "2026-05-22T00:50:54.252397Z",
        "sha256": "ba18f7e82fa8d07985ef44f6ce5a8d4b7759f2e348b6ba073bba4dd463740d8e",
        "source": "kam193",
        "versions": [
          "0.1.0"
        ]
      },
      {
        "id": "IN-MAL-2026-004107",
        "import_time": "2026-05-26T05:51:57.187535619Z",
        "modified_time": "2026-05-22T00:54:11Z",
        "sha256": "34bc39125496330ed9b38f1f6d7f06db7e150d83144f9d7e1e04552112851c4a",
        "source": "amazon-inspector",
        "versions": [
          "0.1.0"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (34bc39125496330ed9b38f1f6d7f06db7e150d83144f9d7e1e04552112851c4a)\nOn `import pylogfmt`, the package\u0027s __init__.py spawns a detached background subprocess (`subprocess.Popen([sys.executable, \u0027_check.py\u0027], stdout=DEVNULL, stderr=DEVNULL)`) that runs an infinite loop POSTing the package install path to https://pypkg.dev/project/pylogfmt/json every 60 seconds with TLS verification explicitly disabled. The HTTP response body is base64-decoded and dispatched to a worker thread (`threading.Thread(target=check, args=(package_list.decode(),))`), which is the canonical remote-payload-dispatcher shape \u2014 the operator controls returned bytes and the client decodes and feeds them into a handler. The destination domain pypkg.dev is a lookalike of pypi.org/pypa with no relation to the package\u0027s declared logging-library purpose. Output suppression (DEVNULL on both streams), undocumented behavior (README advertises only a logging helper), TLS bypass, and lookalike C2 destination together are unambiguous attack signals. Any consumer that imports pylogfmt as a library leaks their install path to attacker infrastructure on a 60-second polling interval and is one server-side change away from arbitrary remote code execution.\n\n## Source: kam193 (ba18f7e82fa8d07985ef44f6ce5a8d4b7759f2e348b6ba073bba4dd463740d8e)\nPackage silently executes remote code during import.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-lognest\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n",
  "id": "MAL-2026-4231",
  "modified": "2026-05-26T05:55:05Z",
  "published": "2026-05-22T00:50:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://bad-packages.kam193.eu/pypi/package/pylogfmt"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/pylogfmt/0.1.0/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in pylogfmt (PyPI)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted