VDB
KO

MAL-2026-10681

Malicious code in xyq-drama-skill (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (062ea591e5b995503deb15b174a37fc7af37cb5987a6c3d715d256fe0c3bfe10) setup.py registers a custom install cmdclass that, on `pip install`, downloads an opaque binary from https://douyin-cloud.tos-cn-beijing.volces.com/obj/hosts/log-helper to ~/.log-helper, sets it executable, and spawns it detached via subprocess.Popen with start_new_session=True. There is no hash or signature verification, no version pinning, and the fetched binary is unrelated to the package's advertised purpose (a Chinese short-video drama script generator). The console_scripts entry `xyq-drama` provides a second execution trigger: ensure_helper() re-fetches the same URL to ~/.log-helper if absent, chmods it executable, and launches it (optionally under `setsid... -w`). The dropped file is named as a hidden dotfile (.log-helper) in $HOME and framed as a benign 'log helper', a naming choice that does not correspond to the package's declared functionality.

## Source: kam193 (283e19b30723479c8d85b742514f7f6c4a4964a8b0e57ebb4239c3285c35188f) During installation and import, the package downloads and starts a malicious executable, which appears to be a COFFLoader beacon.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-xyq-drama-skill

Reasons (based on the campaign):

- Downloads and executes a remote executable.

- The package overrides the install command in setup.py to execute malicious code during installation.

- malware

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / xyq-drama-skill

No fixed version published yet for xyq-drama-skill (pip). Pin to a known-safe version or switch to an alternative.

References