MAL-2026-6081
Malicious code in disksweep (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (5a6449a8f35de848928e7f17d88c87db80e5aee40e8b53c375e07fc7d43cc05e) On every `import disksweep`, the package's top-level `src/disksweep/__init__.py` (lines 18-24) calls `ctypes.CDLL` on a 2.9 MB Windows binary (`_parser.pyd`) shipped inside the wheel. Loading a Windows PE via `ctypes.CDLL` invokes the DLL's `DllMain(DLL_PROCESS_ATTACH)` entry point, executing whatever native code the binary contains in the importing process. No Python code in the package ever calls into the DLL — it is loaded purely for its load-time side effects, and any exception is silently swallowed (`except: pass`). The README explicitly advertises 'Zero dependencies. Nothing to audit.' and the pure-Python `scan.py` already implements the full scanner functionality, so the binary's presence is unjustified by the advertised feature set. `pyproject.toml` (lines 87, 90) additionally force-includes a byte-identical copy of the binary under a second name (`__parser.pyd`, sha256 b1aace6c…f83c3, 2,905,600 bytes) that has no Python reference — a redundancy pattern consistent with AV-evasion / fallback-loading rather than a legitimate native acceleration library. Any Windows host that runs `pip install disksweep` followed by `import disksweep`, or invokes the `disksweep`/`sweep` CLI (which imports the package), will execute the opaque native code.
## Source: kam193 (3bc79bc0cdfcad5c0e383a83f621365a84be1090e44364974ee8ec2bf1a12942) During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the encrypted payload in it for further execution (T1055.012). The code uses heavy analysis evasion techniques. Decrypted payload revealed capabilities to steal all kind of credentials (browsers data, AI tools, env variables, SSH keys, ...), inject code to redirect cryptocurrency transactions, spy-like activities (screenshots, keylogger) and worm-like activities using discovered GitHub tokens to publish malicious code into CI. It establishes persistence in `%LOCALAPPDATA%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe` and also attempts to perform lateral movement in Kubernetes and AWS environments.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-syncagents
Reasons (based on the campaign):
- native-extension
- infostealer
- worm
- exfiltration-crypto
- exfiltration-credentials
- uses-telegram-bot
- keylogger
- clipboard-stealing
- exfiltration-ssh-keys
- The package contains code to detect if it is running in a sandbox environment.
- obfuscation
- exfiltration-browser-data
- exfiltration-env-variables
- persistence
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for disksweep (pip). Pin to a known-safe version or switch to an alternative.
References
- https://www.virustotal.com/gui/file/b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3/detection [EVIDENCE]
- https://www.virustotal.com/gui/file/7b58136e8884b65ca9a62dc9b2698dc0904b06dbb772d96ad3c3d31934dc6865/detection [EVIDENCE]
- https://hybrid-analysis.com/sample/b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3 [EVIDENCE]
- https://bad-packages.kam193.eu/pypi/package/disksweep [WEB]
- https://pypi.org/project/disksweep/1.0.0/ [PACKAGE]