Vulnerability-Lookup

MAL-2026-5519

Vulnerability from ossf_malicious_packages

Published

2026-06-10 17:11

Modified

2026-06-16 10:19

Summary

Malicious code in requests-toolbelt-plus (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae)

The package impersonates the popular requests-toolbelt library but ships an empty requests_toolbelt_plus/__init__.py and places its real logic in setup.py. On pip install, setup.py checks /proc/version for WSL markers and, when matched, opens a TCP socket to the hardcoded IP 185.184.192.205 on port 4444, sends a JSON beacon containing os.getlogin(), os.uname().nodename, and os.getcwd(), then spawns a background thread that reads JSON commands from the socket and executes them via subprocess.run(cmd, shell=True, capture_output=True, text=True), returning stdout/stderr to the operator — full remote command execution against the installer's machine. setup.py also appends a Python one-liner to ~/.bashrc that re-opens the same socket, dup2s stdio onto it, and execs /bin/bash -i, giving the attacker a persistent interactive reverse shell that fires on every new login shell and survives package uninstall. The WSL-only gating is a deliberate evasion to stay dormant on non-WSL maintainer machines and execute only on targeted Windows-Subsystem-for-Linux developer hosts.

Source: kam193 (bd626be82a68d95788077b8b3c87a960c87d971e55496791cedf85154d99087f)

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.

CWE

CWE-506 - The product contains code that appears to be malicious in nature.
CWE-506 - The product contains code that appears to be malicious in nature.

Credits

Amazon Inspector inspector-research@amazon.com

Kamil Mańkowski (kam193) github.com/kam193 bad-packages.kam193.eu/

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "setup.py",
              "sha256": "9b86e3072f1ac94de464250b62d35bd74eca80f444a283fbc3f5db6c066c6a6e",
              "tlsh": "404142c1dcb90120e3b3909918259062a7677d033b46d8787abd87b06f8a079a0b95b9"
            },
            {
              "path": "PKG-INFO",
              "sha256": "a0122930824287222cc11b4598fec403993fe98807725564777d6cea63985118",
              "tlsh": "ced0a79b33862131f4c38089059c465790f9d10171ca2066c4c60ee962cf2489245438"
            }
          ],
          "package_integrity": [
            {
              "filename": "requests_toolbelt_plus-99.9.9-py3-none-any.whl",
              "hashes": {
                "blake2b_256": "62b1be1c6a672ebde0f1e5f07834bee2ec69282e165e2b329d60e24949ab49f1",
                "md5": "e98fa689bf5c5701b9a075fae46f9564",
                "sha256": "7fe6c3efb7b642c75cb23bdc84b4978c5c3d48896e38ad67c5c516561aabe10f"
              }
            },
            {
              "filename": "requests_toolbelt_plus-99.9.9.tar.gz",
              "hashes": {
                "blake2b_256": "abed5c121232e9ab398165d373644d77de1ce266487ba199b69ae525eaf569c0",
                "md5": "889faf0acbe8ae286dfc6178353fedb7",
                "sha256": "1134df5e03681ef11254b3370b1e054d7c2e8db4dd52c5aa59ec02a1d15219e0"
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "requests-toolbelt-plus"
      },
      "versions": [
        "99.9.9",
        "99.9.10",
        "100.0.0",
        "2026.6.10.172624"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    },
    {
      "contact": [
        "https://github.com/kam193",
        "https://bad-packages.kam193.eu/"
      ],
      "name": "Kamil Ma\u0144kowski (kam193)",
      "type": "REPORTER"
    }
  ],
  "database_specific": {
    "iocs": {
      "ips": [
        "185.184.192.205"
      ]
    },
    "malicious-packages-origins": [
      {
        "id": "pypi/GENERIC-standard-pypi-install-pentest/requests-toolbelt-plus",
        "import_time": "2026-06-10T18:03:22.536305364Z",
        "modified_time": "2026-06-10T17:11:39.385096Z",
        "sha256": "bd626be82a68d95788077b8b3c87a960c87d971e55496791cedf85154d99087f",
        "source": "kam193",
        "versions": [
          "99.9.9",
          "99.9.10",
          "100.0.0",
          "2026.6.10.172624"
        ]
      },
      {
        "id": "IN-MAL-2026-005283",
        "import_time": "2026-06-10T19:23:47.877638703Z",
        "modified_time": "2026-06-10T18:26:49Z",
        "sha256": "38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae",
        "source": "amazon-inspector",
        "versions": [
          "99.9.9"
        ]
      },
      {
        "id": "IN-MAL-2026-005294",
        "import_time": "2026-06-10T19:23:48.738470163Z",
        "modified_time": "2026-06-10T18:41:57Z",
        "sha256": "477b55b0e81d5897d1d7252951b472225226bbca8a8d13a70e31cab1e9d13c26",
        "source": "amazon-inspector",
        "versions": [
          "100.0.0"
        ]
      },
      {
        "id": "pypi/2026-06-requests-toolbelt-plus/requests-toolbelt-plus",
        "import_time": "2026-06-16T10:17:17.180849181Z",
        "modified_time": "2026-06-16T09:28:08.624458Z",
        "sha256": "c11f6b62eb1505dcab0a9ab7e0dbdcebac4234d2b15ce3d3cea5137c1f72e2a2",
        "source": "kam193",
        "versions": [
          "99.9.9",
          "99.9.10",
          "100.0.0",
          "2026.6.10.172624"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (38c64ca050de4910f56bc4a652890b0a378082859cb62153762c6ae08b4b8eae)\nThe package impersonates the popular `requests-toolbelt` library but ships an empty `requests_toolbelt_plus/__init__.py` and places its real logic in `setup.py`. On `pip install`, setup.py checks `/proc/version` for WSL markers and, when matched, opens a TCP socket to the hardcoded IP 185.184.192.205 on port 4444, sends a JSON beacon containing `os.getlogin()`, `os.uname().nodename`, and `os.getcwd()`, then spawns a background thread that reads JSON commands from the socket and executes them via `subprocess.run(cmd, shell=True, capture_output=True, text=True)`, returning stdout/stderr to the operator \u2014 full remote command execution against the installer\u0027s machine. setup.py also appends a Python one-liner to `~/.bashrc` that re-opens the same socket, `dup2`s stdio onto it, and execs `/bin/bash -i`, giving the attacker a persistent interactive reverse shell that fires on every new login shell and survives package uninstall. The WSL-only gating is a deliberate evasion to stay dormant on non-WSL maintainer machines and execute only on targeted Windows-Subsystem-for-Linux developer hosts.\n\n## Source: kam193 (bd626be82a68d95788077b8b3c87a960c87d971e55496791cedf85154d99087f)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research \u0026 co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n",
  "id": "MAL-2026-5519",
  "modified": "2026-06-16T10:19:05Z",
  "published": "2026-06-10T17:11:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://bad-packages.kam193.eu/pypi/package/requests-toolbelt-plus"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/requests-toolbelt-plus/99.9.9/"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/requests-toolbelt-plus/100.0.0/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in requests-toolbelt-plus (PyPI)"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted