Supply-chain threat intelligence
Risk score
92
Indexed incident for turbocalcng (pypi).
turbocalcng/init.py imports arithmetic.py, which — beneath a facade of arithmetic helpers — contains an XOR-obfuscated in-memory native code execution path reachable at import time. A helper iReferringj(k,d) XOR-decodes byte lists into the strings 'base64', 'ctypes', 'mmap', 'threading', 'CFUNCTYPE', 'Thread', 'daemon', 'start', etc., and resolves them dynamically via getattr / import / importlib.util.spec_from_file_location to hide the dangerous imports from static review. The reachable loader allocates an RWX region with mmap.mmap(-1, size, prot=7, flags=34), writes decoded bytes into it, casts the region's address through ctypes.CFUNCTYPE and invokes it inside a daemon threading.Thread — executing attacker-supplied native code in the installer's Python process on import turbocalcng. The obfuscation of core module names alongside the RWX + function-pointer-cast + thread-start primitive is characteristic of hostile shellcode injection, not any legitimate arithmetic functionality.
During import an obfuscated code starts in-memory functions from a binary blob; after that, it communicates with dockfinancial[.]lu, the exact behaviour is unknown.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-turbocalc
Reasons (based on the campaign):
obfuscation
other
Affected versions
Indicators
Timeline