Supply-chain threat intelligence
Risk score
92
Indexed incident for fkaks (pypi).
fkaks 0.0.1 ships a setup.py that overrides the install and egg_info commands so that any pip install or pip download of the package unconditionally executes a curl POST to a hardcoded out-of-band collector at http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun. The POST body is built by iterating the entire os.environ mapping (env_vars_string = "&".join([f"{key}={value}" for key, value in env_vars.items()])) and concatenating it with the output of ps -elf, harvesting whatever secrets the installer or CI host has in environment variables (cloud credentials such as AWS_*, GitHub/registry tokens, CI secrets, SSH agent paths) along with a full process listing. The transport is plaintext HTTP to an interactsh-style oast.fun subdomain — infrastructure typical of OOB exfiltration callbacks. The README's framing of the package as a demo of automatic code execution on pip install does not change the on-the-wire behavior: every installer is attacked.
During installation, the package exfiltrates env variables
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-ip-rotat
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-env-variables
typosquatting
Affected versions
Indicators
Timeline