OSV ID
MAL-2026-6290
Ecosystem
pypi
Summary
On pip install (and even pip download ), the package's setup.py overrides the install and egg_info commands to execute a RunCommand() routine that serializes every entry in os.environ into a key=value query string and captures the output of ps -elf . The combined payload is then POSTed via curl over plaintext HTTP to http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun , a unique subdomain on the public interactsh out-of-band testing service. Any CI/build secrets present in the environment at install time (AWS_*, GITHUB_TOKEN, NPM_TOKEN, CI provider tokens, etc.) leak to the attacker-controlled OAST listener, along with a snapshot of running processes on the host.
Source: amazon-inspector (2cfd36909e089f17439dd3227c6f5ccef2fef2964dc26bbdbaaef0481b54615d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.