twrap-toolkit @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5841
Ecosystem
pypi
Summary
twrap_toolkit/__init__.py defines _get_payload() which issues a plaintext HTTP request to http://194.5.152.9:8080/hacks/textwrap-toolkit/textwrap_toolkit/__init__.py and passes the response body to exec() inside the package's only public API surface (format_block() and align_columns()). Any caller of the documented API executes attacker-controlled Python with no TLS, no pinning, and no integrity check, granting full remote code execution to the operator of 194.5.152.9. The package name and the attacker-controlled URL path both impersonate the legitimate 'textwrap-toolkit' utility, indicating a typosquat designed to lure installations into the dropper. Installing this package and invoking its advertised functions yields arbitrary code execution as the calling user.
Source: amazon-inspector (174cba09d5ec9724bd55871c7f74c27ff8592bf55c06464204e0591667377259)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.