{"schema_version":"1.7.5","id":"MAL-2026-1064","published":"2026-02-27T13:50:48Z","modified":"2026-03-19T12:51:48.689021Z","summary":"Malicious code in cicd-ppe-redteam-test02 (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (14adb6733ca8f958770b9766a7f255fbd8562886dce3b42cee772eac50e52d0f)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n## Source: ossf-package-analysis (962e74263ad015f9bf70c19c2cc90554bbbc43c2840280630cef7904557f1665)\nThe OpenSSF Package Analysis project identified 'cicd-ppe-redteam-test02' @ 1.0.0 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","affected":[{"package":{"name":"cicd-ppe-redteam-test02","ecosystem":"PyPI","purl":"pkg:pypi/cicd-ppe-redteam-test02"},"versions":["1.0.0","1.0.3","1.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cicd-ppe-redteam-test02/MAL-2026-1064.json"}}],"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/cicd-ppe-redteam-test02"}],"database_specific":{"malicious-packages-origins":[{"import_time":"2026-02-27T13:53:35.291573138Z","modified_time":"2026-02-27T13:50:48Z","sha256":"962e74263ad015f9bf70c19c2cc90554bbbc43c2840280630cef7904557f1665","source":"ossf-package-analysis","versions":["1.0.0"]},{"import_time":"2026-02-27T14:18:32.254184675Z","modified_time":"2026-02-27T14:02:59Z","sha256":"834174cff8fb0aa4397db82631cdbfbb9f8f0359fd7187094f0c4b87bb7f9f38","source":"ossf-package-analysis","versions":["1.0.3"]},{"id":"pypi/GENERIC-standard-pypi-install-pentest/cicd-ppe-redteam-test02","import_time":"2026-02-27T14:47:34.086887123Z","modified_time":"2026-02-27T14:13:40.241418Z","sha256":"14adb6733ca8f958770b9766a7f255fbd8562886dce3b42cee772eac50e52d0f","source":"kam193","versions":["1.0.0","1.0.2","1.0.3"]},{"id":"pypi/GENERIC-standard-pypi-install-pentest/cicd-ppe-redteam-test02","import_time":"2026-02-27T15:18:19.856989034Z","modified_time":"2026-02-27T14:33:29.222753Z","sha256":"f0c2b26eb68525cf02ab5097c16efc774d3881b4955aea6c7b2358869772244c","source":"kam193","versions":["1.0.0","1.0.2","1.0.3"]},{"id":"RLMA-2026-00194","import_time":"2026-03-19T12:18:16.776014308Z","modified_time":"2026-03-18T12:12:24Z","sha256":"e0c28a362535d716868eca75de23d46937f2558428f599e823205ef9a1a76535","source":"reversing-labs","versions":["1.0.0","1.0.2","1.0.3"]}]},"credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}