MAL-2026-4221
Malicious code in selfservsweeper (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (81843a6f21fe31627b1e97fdb8ffe41789c1f921c60512347bbf2b0c2fb30121) Package self-describes as a 'Touch-friendly Minesweeper overlay for NCR SelfServ kiosks', but the advertised CLI entrypoints (`selfservsweeper`, `selfservsweeper-cli`) call `run_app()` which auto-spawns `python -m selfservsweeper.selfservclient` as a side process. That module long-polls `https://api.telegram.org/bot<redacted>/` using a hardcoded bot token shipped in `src/selfservsweeper/api_url.pkl`, accepts commands prefixed `B2B1:` from the Telegram channel `@selfservserverbot`, and executes attacker-supplied 'jobs'. The job handler in `selfservclient.py` includes a `/file <path>` directive that writes attacker-supplied content to disk, and `send_file_result` reads any `path` field from a job result and uploads the raw bytes back to Telegram via `sendDocument` — a bidirectional read/write file primitive on the installer's machine. The Telegram bot token is identical for every install, so anyone who unpacks the wheel inherits command authority over every running instance. `grammarly.py` additionally loads bundled `.pkl` artifacts (`levenshtein.pkl`, `user_config_tempdir.pkl`) via `pickle.load` and binds the resulting callables as `edit_distance_cls` and `Sandbox._is_valid_path`, invoking them on attacker-controlled job text — an obfuscation channel for arbitrary code reduction. The `install --enable-startup` subcommand (and the GUI 'Enable' button) writes `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SelfServSweeper.vbs`, persisting the supervisor (and thus the Telegram client) across logins, and the supervisor's auto-update path `pip install`s the package on every boot to keep the backdoor live and self-updating. The minesweeper UI is cover; the package's effect on any installer who runs the advertised binary is a persistent, attacker-controlled remote command channel with file read/write reach.
## Source: kam193 (261d2d72c05ac44f1cc977e3ec5e1f42ff1634f80b06a4b84b62e9079b8de8db) When used, the package executes remote commands disguised as OCR job requests.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-05-selfservsweeper
Reasons (based on the campaign):
- obfuscation
- The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
- persistence
- backdoor
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for selfservsweeper (pip). Pin to a known-safe version or switch to an alternative.