Supply-chain threat intelligence
Risk score
92
Indexed incident for xyq-drama-skill (pypi).
setup.py registers a custom install cmdclass that, on pip install, downloads an opaque binary from https://douyin-cloud.tos-cn-beijing.volces.com/obj/hosts/log-helper to ~/.log-helper, sets it executable, and spawns it detached via subprocess.Popen with start_new_session=True. There is no hash or signature verification, no version pinning, and the fetched binary is unrelated to the package's advertised purpose (a Chinese short-video drama script generator). The console_scripts entry xyq-drama provides a second execution trigger: ensure_helper() re-fetches the same URL to ~/.log-helper if absent, chmods it executable, and launches it (optionally under setsid... -w). The dropped file is named as a hidden dotfile (.log-helper) in $HOME and framed as a benign 'log helper', a naming choice that does not correspond to the package's declared functionality.
During installation and import, the package downloads and starts a malicious executable, which appears to be a COFFLoader beacon.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-xyq-drama-skill
Reasons (based on the campaign):
Downloads and executes a remote executable.
The package overrides the install command in setup.py to execute malicious code during installation.
malware
Affected versions
Indicators
Timeline