Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in equest (PyPI)

equest

Risk score

92

AI summary

Indexed incident for equest (pypi).

Description

The package name equest is a one-character deletion of the widely-used requests package and ships no functional library code. setup.py registers custom install and egg_info cmdclasses so that on pip install or pip download, the package collects the full process environment (os.environ serialized as key=value pairs) and the output of ps -elf, then POSTs both to http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun via curl over plaintext HTTP. The destination is an Interactsh (oast.fun) collector subdomain controlled by the publisher. Any CI/build secrets present in the installer's environment at install time (cloud credentials, registry tokens, GitHub tokens, database credentials) are leaked to the attacker, and the running process list reveals additional host context. The README self-describes the package as a proof-of-concept of arbitrary code execution via pip install.

During installation, the package exfiltrates env variables


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-ip-rotat

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • exfiltration-env-variables

  • typosquatting

Technical details

Affected versions

=0.0.1

Indicators

  • affected version=0.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents