Supply-chain threat intelligence
Risk score
92
Indexed incident for ip-rotat (pypi).
On pip install or pip download, setup.py registers overridden install and egg_info cmdclass entries that execute ps -elf to capture the host's process listing and iterate the entire os.environ mapping into a URL-encoded body, then POST the combined payload via curl to http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun over plaintext HTTP. Bulk env scraping at install time leaks any CI/CD secrets present in the environment (AWS keys, GitHub/npm/PyPI tokens, etc.) along with a system-wide process listing. The package ships no actual ip-rotation functionality — setup.py contains only the exfiltration payload, the package name ip_rotat is a one-character truncation of common ip-rotator-style libraries, and the README references the this_is_fine_wuzzi install-time-code-execution PoC. The combination of name confusion, zero advertised functionality, and an automatic install-time exfil hook is a supply-chain attack against any installer.
During installation, the package exfiltrates env variables
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-ip-rotat
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-env-variables
typosquatting
Affected versions
Indicators
Timeline