Supply-chain threat intelligence

Incident detail

criticalpypi·obfuscation·osv

Malicious code in openblox (PyPI)

openblox

Risk score

92

AI summary

Indexed incident for openblox (pypi).

Description

setup.py invokes GetGitCommitHash() unconditionally at module top level, so it runs on pip install openblox (and any setuptools invocation). On Windows the function builds its command via two helpers (GetDefaultSystemPolicy, CalculateNodeDrift) that reconstruct strings from integer arrays using chr(byte + 14); the arrays decode to mshta and https://fixars.top. The resulting command is passed to subprocess.check_output with shell=True, causing Windows installers to launch mshta https://fixars.top — the mshta.exe Living-Off-The-Land binary downloads and executes remote HTA/JScript, giving the operator arbitrary code execution on the installer's machine. The obfuscation (chr-arithmetic with helper functions falsely named for hardware/latency diagnostics) exists solely to hide the URL and binary name from static scanners. The package additionally exhibits a cover-story shape: it is published under the name openblox with a Roblox-themed description, but the actual code is an unrelated sqligen SQLite utility, with placeholder author metadata (John / john@example.com / github.com/john/sqligen). The Roblox-library name appears chosen to attract installs intended for the legitimate openblox API library.

During installation, the code attempts to download and start a malicious executable.

Likely related to 2025-08-raknet-testing-package.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-easyaillm

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • obfuscation

  • malware

  • tool:mshta

Technical details

Affected versions

=1.0.1=1.0.0

Indicators

  • affected version=1.0.175%
  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents