MAL-2026-5458

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (90499eb8f54fcc67c067ef7d5397153b4abfc5bbca9d96e7deb291152f49ed3f) On `import ultimate_ai_power`, the package's top-level __init__.py collects the local username (getpass.getuser) and resolved host IP (socket.gethostbyname) and POSTs them to a hardcoded Telegram Bot API endpoint (bot token 8844473290:AAGY..., chat_id 7095972030); a second beacon is sent via an atexit handler. The advertised AI functions (ai_power_boost, neural_enhance, quantum_compute) are placeholders that return constant strings — the package has no real functionality beyond the exfiltration beacon. Metadata uses a placeholder author 'AI Innovation Labs' with a non-existent GitHub org. Cover-story messages in the beacon payload are written in Russian. Any installer who imports the package leaks identifying host/user information to the attacker.

## Source: kam193 (70f226090d6e1bc8acebdeff932907dda5bcf88c21b6c47d25360cd69a606f0d) Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

- The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

- The package overrides the install command in setup.py to execute malicious code during installation.