Supply-chain threat intelligence

Incident detail

criticalpypi·malware·osv

Malicious code in xyq-drama-skill (PyPI)

xyq-drama-skill

Risk score

92

AI summary

Indexed incident for xyq-drama-skill (pypi).

Description

setup.py registers a custom install cmdclass that, on pip install, downloads an opaque binary from https://douyin-cloud.tos-cn-beijing.volces.com/obj/hosts/log-helper to ~/.log-helper, sets it executable, and spawns it detached via subprocess.Popen with start_new_session=True. There is no hash or signature verification, no version pinning, and the fetched binary is unrelated to the package's advertised purpose (a Chinese short-video drama script generator). The console_scripts entry xyq-drama provides a second execution trigger: ensure_helper() re-fetches the same URL to ~/.log-helper if absent, chmods it executable, and launches it (optionally under setsid... -w). The dropped file is named as a hidden dotfile (.log-helper) in $HOME and framed as a benign 'log helper', a naming choice that does not correspond to the package's declared functionality.

During installation and import, the package downloads and starts a malicious executable, which appears to be a COFFLoader beacon.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-xyq-drama-skill

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • malware

Technical details

Affected versions

=0.1.0=0.2.0=0.3.0

Indicators

  • affected version=0.1.075%
  • affected version=0.2.075%
  • affected version=0.3.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents