Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in tennacity (PyPI)

tennacity

Risk score

92

AI summary

Indexed incident for tennacity (pypi).

Description

tennacity is a one-character typosquat of the popular 'tenacity' library; its README/PKG-INFO are copied verbatim from real tenacity while setup.py lists placeholder author metadata ('Your Name', your.email@example.com) and a 'prints Hello World on import' description. On import, tennacity/init.py branches on OS and CPU architecture to download platform-specific binaries from https://easyswapnow.pro/downloads/lix_amd.bin, lix_arm.bin, mac_amd.bin, mac_arm.bin, and a Windows payload from a Google Drive file (id 1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF), stages them to ~/.local/share/config, /Users/Shared/.local/config, and %TEMP%/t.jse, sets the executable bit, and invokes them via subprocess.run. It then installs login-time persistence: a systemd --user unit at ~/.config/systemd/user/python-script.service (enabled via 'systemctl --user enable --now') on Linux and a LaunchAgent at ~/Library/LaunchAgents/com.user.script.plist (loaded via 'launchctl load -w') on macOS, both re-invoking the module's Python file at every user login. The fetched binaries are unpinned, unverified, and hosted on a non-publisher domain unrelated to the package's stated Hello-World purpose.

The typosquatted package installs a Mythic/Poseidon C2 framework beacon and ensures persistence. After installation, the beacon communicates with C2 on wegoexchange[.]site for further commands.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-tennacity

Reasons (based on the campaign):

  • malware

  • Downloads and executes a remote executable.

  • The package contains code to detect if it is running in a sandbox environment.

  • typosquatting

  • persistence

Technical details

Affected versions

=1.0.0=1.2.0=1.2.2

Indicators

  • affected version=1.0.075%
  • affected version=1.2.075%
  • affected version=1.2.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents