pkg-fallback @1.1.0
Vulnerability report · Last retrieved from osv.dev June 28, 2026 at 8:53 AM UTC
OSV ID
MAL-2026-6557
Ecosystem
pypi
Summary
setup.py performs an unconditional urllib.request.urlopen() at install time to a hardcoded plaintext bare-IP endpoint http://157.254.194.200:8080/dependency-payload-1.0.0.tar.gz, with exceptions silently swallowed. This fires automatically during pip install (build/setup phase), confirming code execution on the installer's machine and disclosing the installer's network identity to attacker-controlled infrastructure. The distribution is published as 'pkg-fallback' but ships an unrelated 'string_kit' module described as 'string-kit' in README/PKG-INFO; the name/module divergence together with the install-time bare-IP beacon and the attacker-suggestive payload filename ('dependency-payload') is consistent with a dependency-confusion staging/enumeration package rather than a genuine utility.
Source: amazon-inspector (7f4ccaa9f059318782cd3b811f5bd6ea926e267e4b05dc4971d6acc6687d5d4f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.