Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in ip-rotat (PyPI)

ip-rotat

Risk score

92

AI summary

Indexed incident for ip-rotat (pypi).

Description

On pip install or pip download, setup.py registers overridden install and egg_info cmdclass entries that execute ps -elf to capture the host's process listing and iterate the entire os.environ mapping into a URL-encoded body, then POST the combined payload via curl to http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun over plaintext HTTP. Bulk env scraping at install time leaks any CI/CD secrets present in the environment (AWS keys, GitHub/npm/PyPI tokens, etc.) along with a system-wide process listing. The package ships no actual ip-rotation functionality — setup.py contains only the exfiltration payload, the package name ip_rotat is a one-character truncation of common ip-rotator-style libraries, and the README references the this_is_fine_wuzzi install-time-code-execution PoC. The combination of name confusion, zero advertised functionality, and an automatic install-time exfil hook is a supply-chain attack against any installer.

During installation, the package exfiltrates env variables


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-ip-rotat

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • exfiltration-env-variables

  • typosquatting

Technical details

Affected versions

=0.0.1

Indicators

  • affected version=0.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents