Malicious code in easyaillm (PyPI)
MAL-2026-5756
Published ยท Modified
Description
__
Source: amazon-inspector (b6268f175708584b9c3de408c80de3dc1162f4d1ddedb1ce6201b90f409b0dea)
On pip install easyaillm, setup.py runs exec(base64.b64decode(...)) which decodes to code that fetches https://pastebin.com/raw/hEF5HaFc, treats the response body as a second URL, downloads that URL's bytes to pkg_installer.exe, and executes it via os.system('cmd /c pkg_installer.exe'). The attack stages are concealed behind a base64 blob and exec() indirection, while the package metadata advertises an unrelated LLM/Roblox API purpose as cover. The pastebin source is mutable and anonymous, allowing the operator to swap the second-stage URL and ultimately the executed binary at any time. Installing this package on Windows results in arbitrary attacker-controlled code execution on the installer's machine.
Source: kam193 (8b2e19d96463fddff4bb8d7b73696ea1929c0cd8bb4948204e0913c77da0fbb7)
During installation, the obfuscsted code attempts to download and start a malicious executable. The published versions contained issues preventing successful downloading, but it was possible to recover the intended executable during the analysis.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-easyaillm
Reasons (based on the campaign):
Downloads and executes a remote executable.
obfuscation
malware
References
- WEB https://bad-packages.kam193.eu/pypi/package/easyaillm
- PACKAGE https://pypi.org/project/easyaillm/2.0.15/
- EVIDENCE https://www.virustotal.com/gui/file/1a5beab4a6facb46b4afc5f8526e1327e6c7d740ccaf34c6a921ac18eff29427/detection
- EVIDENCE https://www.virustotal.com/gui/file/4c99c8edfc4444f46932f14afccb2952a3850df765765f9ac793d69f318c192f/detection
- EVIDENCE https://www.virustotal.com/gui/file/0649f50ead3695f41c1243883200bdb775410bcd8c8fb88277740a625a154e25
Ready to move
Start Securing
Free, no credit card | First findings in minutes