Supply-chain threat intelligence

Incident detail

criticalpypi·obfuscation·osv

Malicious code in turbocalcng (PyPI)

turbocalcng

Risk score

92

AI summary

Indexed incident for turbocalcng (pypi).

Description

turbocalcng/init.py imports arithmetic.py, which — beneath a facade of arithmetic helpers — contains an XOR-obfuscated in-memory native code execution path reachable at import time. A helper iReferringj(k,d) XOR-decodes byte lists into the strings 'base64', 'ctypes', 'mmap', 'threading', 'CFUNCTYPE', 'Thread', 'daemon', 'start', etc., and resolves them dynamically via getattr / import / importlib.util.spec_from_file_location to hide the dangerous imports from static review. The reachable loader allocates an RWX region with mmap.mmap(-1, size, prot=7, flags=34), writes decoded bytes into it, casts the region's address through ctypes.CFUNCTYPE and invokes it inside a daemon threading.Thread — executing attacker-supplied native code in the installer's Python process on import turbocalcng. The obfuscation of core module names alongside the RWX + function-pointer-cast + thread-start primitive is characteristic of hostile shellcode injection, not any legitimate arithmetic functionality.

During import an obfuscated code starts in-memory functions from a binary blob; after that, it communicates with dockfinancial[.]lu, the exact behaviour is unknown.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-turbocalc

Reasons (based on the campaign):

  • obfuscation

  • other

Technical details

Affected versions

=0.1.0=0.2.0

Indicators

  • affected version=0.1.075%
  • affected version=0.2.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents