MAL-2026-6557

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7f4ccaa9f059318782cd3b811f5bd6ea926e267e4b05dc4971d6acc6687d5d4f) setup.py performs an unconditional urllib.request.urlopen() at install time to a hardcoded plaintext bare-IP endpoint http://157.254.194.200:8080/dependency-payload-1.0.0.tar.gz, with exceptions silently swallowed. This fires automatically during pip install (build/setup phase), confirming code execution on the installer's machine and disclosing the installer's network identity to attacker-controlled infrastructure. The distribution is published as 'pkg-fallback' but ships an unrelated 'string_kit' module described as 'string-kit' in README/PKG-INFO; the name/module divergence together with the install-time bare-IP beacon and the attacker-suggestive payload filename ('dependency-payload') is consistent with a dependency-confusion staging/enumeration package rather than a genuine utility.

## Source: kam193 (4563c95d80446cbc0c815185ab9b3649b048c82a33b2d662523ce4760dbc6856) Package exploits dependency confusion. A beacon request is used to report usage back, but no additional information are exfiltrated.

---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-beacon-dependency-confusion

Reasons (based on the campaign):

- typosquatting

- dependency-confusion