MAL-2026-4227

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (481f45cde243009853b52b584fb6a1af2eae31e637912c8b78f18a8d7ee0d9d0) On `import lognest`, the package's __init__.py spawns a detached background subprocess running a sibling `_check.py` (lognest/__init__.py:25 `subprocess.Popen([sys.executable, os.path.join(base_dir, "_check.py")], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)`). That script enters an infinite loop POSTing to `https://pypkg.dev/project/logger/json` — a lookalike of pypi.org — with TLS verification explicitly disabled via `ssl._create_unverified_context()` (lognest/_check.py:22). On the first request it exfiltrates the absolute install path (`Path(__file__).resolve().parent`) which typically encodes the installer's username, virtualenv layout, or CI runner path (lognest/_check.py:18). Server responses are base64-decoded and dispatched on background threads (lognest/_check.py:31), giving the operator a persistent C2 channel for delivering second-stage payloads to any process that imports the package. None of this behavior matches the package's advertised purpose as a logger. The combination of import-time background process, lookalike non-publisher host, TLS-disable, install-path exfiltration, and base64-decoded response dispatch is an unambiguous attacker-controlled remote-execution channel.

## Source: kam193 (8a52e16511fcccbee8bfd9e44dca8d6a3b5927bd5e66cf6fc7b849900c71ed9f) Package silently executes remote code during import.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-lognest

Reasons (based on the campaign):

- Downloads and executes a remote malicious script.