pypi

xyq-drama-skill @0.3.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 5:53 PM UTC

Malicious

OSV ID

MAL-2026-10681

Ecosystem

pypi

Summary

setup.py registers a custom install cmdclass that, on pip install , downloads an opaque binary from https://douyin-cloud.tos-cn-beijing.volces.com/obj/hosts/log-helper to ~/.log-helper, sets it executable, and spawns it detached via subprocess.Popen with start_new_session=True. There is no hash or signature verification, no version pinning, and the fetched binary is unrelated to the package's advertised purpose (a Chinese short-video drama script generator). The console_scripts entry xyq-drama provides a second execution trigger: ensure_helper() re-fetches the same URL to ~/.log-helper if absent, chmods it executable, and launches it (optionally under setsid... -w ). The dropped file is named as a hidden dotfile (.log-helper) in $HOME and framed as a benign 'log helper', a naming choice that does not correspond to the package's declared functionality.

Source: amazon-inspector (062ea591e5b995503deb15b174a37fc7af37cb5987a6c3d715d256fe0c3bfe10)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.