pypi

turbocalcng @0.2.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10441

Ecosystem

pypi

Summary

turbocalcng/__init__.py imports arithmetic.py, which — beneath a facade of arithmetic helpers — contains an XOR-obfuscated in-memory native code execution path reachable at import time. A helper iReferringj(k,d) XOR-decodes byte lists into the strings 'base64', 'ctypes', 'mmap', 'threading', 'CFUNCTYPE', 'Thread', 'daemon', 'start', etc., and resolves them dynamically via getattr / __import__ / importlib.util.spec_from_file_location to hide the dangerous imports from static review. The reachable loader allocates an RWX region with mmap.mmap(-1, size, prot=7, flags=34), writes decoded bytes into it, casts the region's address through ctypes.CFUNCTYPE and invokes it inside a daemon threading.Thread — executing attacker-supplied native code in the installer's Python process on import turbocalcng . The obfuscation of core module names alongside the RWX + function-pointer-cast + thread-start primitive is characteristic of hostile shellcode injection, not any legitimate arithmetic functionality.

Source: amazon-inspector (58f668de627f83b0348d681edd090804f202add609fdc9a3c671f987608fb448)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.