{"schema_version":"1.7.3","id":"MAL-2026-1036","published":"2026-01-16T21:32:25Z","modified":"2026-02-26T00:55:27.149541Z","summary":"Malicious code in uitil (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (ff0b75197d8e7cd361d61461260811fba8920c54b8538cb5f21ec2fc1c885ec3)\nThe package implements an undocumented way to execute code hidden in image files, and a function that searches for images in the current directory and attempts to execute the code. \n\nIt's used in the GitHub repository https://github.com/OR-6/PassCheck/blob/main/main.py#L190 to silently execute the command hidden in the image https://github.com/OR-6/PassCheck/blob/b09b3f1ec5d7345c614b1d956840ee2774f7131b/demo.png  when the user interacts with the repository code. The decrypted command attempted to download and execute code from hxxps://or-6.github[.]io, which at the time of analysis didn't host any code.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-01-uitil\n\n\nReasons (based on the campaign):\n\n\n - typosquatting\n\n\n - steganography\n\n\n - The malicious code is intentionally included in a dependency of the package\n\n\n - action-hidden-in-lib-usage\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n","affected":[{"package":{"name":"uitil","ecosystem":"PyPI","purl":"pkg:pypi/uitil"},"versions":["0.1.4","0.1.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/uitil/MAL-2026-1036.json"}}],"references":[{"type":"WEB","url":"https://github.com/OR-6/PassCheck/blob/main/main.py#L190"},{"type":"WEB","url":"https://github.com/OR-6/PassCheck/blob/b09b3f1ec5d7345c614b1d956840ee2774f7131b/demo.png"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/uitil"}],"database_specific":{"iocs":{"domains":["or-6.github.io"],"urls":["https://github.com/OR-6/PassCheck/","https://or-6.github.io"]},"malicious-packages-origins":[{"id":"pypi/2026-01-uitil/uitil","import_time":"2026-02-25T23:42:59.090660365Z","modified_time":"2026-01-16T21:32:25.526282Z","sha256":"ff0b75197d8e7cd361d61461260811fba8920c54b8538cb5f21ec2fc1c885ec3","source":"kam193","versions":["0.1.4","0.1.5"]},{"id":"pypi/2026-01-uitil/uitil","import_time":"2026-02-26T00:31:51.239635054Z","modified_time":"2026-01-16T21:32:25.526282Z","sha256":"243b442528547767d2f56c9ced8cb1b6791997d176602ecc4725194f684fdb05","source":"kam193","versions":["0.1.4","0.1.5"]}]},"credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}