OSV ID
MAL-2026-6289
Ecosystem
pypi
Summary
The package name equest is a one-character deletion of the widely-used requests package and ships no functional library code. setup.py registers custom install and egg_info cmdclasses so that on pip install or pip download , the package collects the full process environment ( os.environ serialized as key=value pairs) and the output of ps -elf , then POSTs both to http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun via curl over plaintext HTTP. The destination is an Interactsh (oast.fun) collector subdomain controlled by the publisher. Any CI/build secrets present in the installer's environment at install time (cloud credentials, registry tokens, GitHub tokens, database credentials) are leaked to the attacker, and the running process list reveals additional host context. The README self-describes the package as a proof-of-concept of arbitrary code execution via pip install .
Source: amazon-inspector (cfe07e7f1e241dde491d3d6f5553ed2247a6f8e1dfdf34b0eaa9943a2cba5094)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.