MAL-2026-5839

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (281ede3c5b3181c2df22a4b32a01453a51ac389a1dfe8bde69d53821cbaf20d4) cipherflow advertises itself as a zero-dependency pure-Python AES/DES library, but cipherflow/_environ.py contains a multi-layer-obfuscated payload that is decoded and passed directly to exec(). The blob is base85-decoded, XOR'd against a 32-byte key, then zlib-decompressed before being executed: `exec(zlib.decompress(bytes(__[i]^_[i%len(_)] for i in range(len(__)))).decode())` with `__ = base64.b85decode(b'MJ*(r4W!?y...')`. This payload is exposed via cipherflow.setup_env() (declared in __all__), whose docstring translates to 'download and execute external environment'. The function is not mentioned anywhere in the README/PKG-INFO. The combination of triple-stacked encoding (base85 + XOR + zlib) terminating in exec(), placement inside a cover-named module (_environ.py / setup_env), and intentional omission from documentation are canonical signals of hidden malicious code execution. Any consumer who imports cipherflow and invokes setup_env() — or any downstream code that does so — runs whatever bytes the author chose to hide, with full process privileges.

## Source: kam193 (c5572ca4917ed5ce72dfcb7d82abb3a085cdaed9f1992463800826bc18249f91) The package contains obfuscated code to download executables from a typosquatted domain.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-cipherflow

Reasons (based on the campaign):

- obfuscation

- Downloads and executes a remote executable.