MAL-2026-6082
Malicious code in dotenv-sync (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c91932ecf0decc2b900d3e3cd6effe3c4cb1c4ec5ddfd98cde2460facf9f7ae1) On Windows, `src/envsync/__init__.py` (lines 39-44) unconditionally calls `ctypes.CDLL` on a bundled ~2.9MB PE file `_parser.pyd` at top-level import, wrapped in `try:... except: pass`. Loading a PE via `ctypes.CDLL` invokes `LoadLibraryA`, which executes the DLL's `DllMain` entry point — arbitrary native code runs on every `import dotenv_sync` / `import envsync` with the installer's user privileges, silently. No symbol from the.pyd is ever called from Python; the sole effect of the CDLL call is to execute the binary. The package's README advertises 'zero dependencies', 'Pure Python parser', and 'nothing to audit', and a ~60-line pure-Python parser already exists in `parse.py` — so the native load is undisclosed and unnecessary for the advertised functionality. `pyproject.toml` line 78 force-includes two byte-identical copies of the PE (`_parser.pyd` and `__parser.pyd`, sha256 `b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3`) into both the wheel and sdist; the binaries' strings show only register-save prologues with no readable text, imports, or URLs — consistent with a packed payload. There is no `Extension()`, no setuptools/maturin/cmake build configuration, and no source for the binary. The `dotenv-sync` name and `dotenv-sync`/`envsync` CLI entries impersonate the python-dotenv / dotenv-linter / npm envsync ecosystem; author is generic ('envsync contributors') and all project URLs point only at the package's own PyPI page, with no inspectable upstream.
## Source: kam193 (8fa0ec08d0cd452a37bf602615f61dfbbdab27d55180f1e09f53a218b18673f5) During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the encrypted payload in it for further execution (T1055.012). The code uses heavy analysis evasion techniques. Decrypted payload revealed capabilities to steal all kind of credentials (browsers data, AI tools, env variables, SSH keys, ...), inject code to redirect cryptocurrency transactions, spy-like activities (screenshots, keylogger) and worm-like activities using discovered GitHub tokens to publish malicious code into CI. It establishes persistence in `%LOCALAPPDATA%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe` and also attempts to perform lateral movement in Kubernetes and AWS environments.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-syncagents
Reasons (based on the campaign):
- native-extension
- infostealer
- worm
- exfiltration-crypto
- exfiltration-credentials
- uses-telegram-bot
- keylogger
- clipboard-stealing
- exfiltration-ssh-keys
- The package contains code to detect if it is running in a sandbox environment.
- obfuscation
- exfiltration-browser-data
- exfiltration-env-variables
- persistence
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for dotenv-sync (pip). Pin to a known-safe version or switch to an alternative.
References
- https://www.virustotal.com/gui/file/b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3/detection [EVIDENCE]
- https://www.virustotal.com/gui/file/7b58136e8884b65ca9a62dc9b2698dc0904b06dbb772d96ad3c3d31934dc6865/detection [EVIDENCE]
- https://hybrid-analysis.com/sample/b1aace6c70312a39ca39e6bba1d9abc6aaf9b23171089b1a548adc89f67f83c3 [EVIDENCE]
- https://bad-packages.kam193.eu/pypi/package/dotenv-sync [WEB]
- https://pypi.org/project/dotenv-sync/1.0.0/ [PACKAGE]