OSV-MAL-2026-5272

Malicious code in goodoltoulas (PyPI)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (98a84d10e07878c98ffa21b3920940b10ffac4d3cdd66250c046391ea502aaff) On `pip install goodoltoulas`, setup.py unconditionally invokes setup_helper(), which downloads an opaque PE binary from an anonymous file-hosting service (storage.filebin.net) into C:\MALWARE_DELETE\main.exe and launches it via subprocess.Popen with CREATE_NEW_CONSOLE. There is no hash check, signature verification, or version pinning, and the host is unrelated to any package publisher. The library surface is a thin decoy: __init__.py forwards all attribute access to the `requests` module and the README advertises 'A simple request cloner for Python', providing cover for the install-time dropper. The drop path uses a self-incriminating directory name (C:\MALWARE_DELETE) and the response carries application/vnd.microsoft.portable-executable, confirming hostile intent. Any Windows installer running `pip install` will execute attacker-controlled code immediately. ## Source: kam193 (d1279e2d267bf2af95bf5c3a98cc71ac362ed2af7aa35f6bbfe1f05bb839cb18) During installation, package attempts to download and run an executable imitating malicious activity. --- Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities. Campaign: 2026-06-goodoldtoulas Reasons (based on the campaign): - The package overrides the install command in setup.py to execute malicious code during installation. - Downloads and executes a remote executable.