Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in toorc (PyPI)

toorc

Risk score

92

AI summary

Indexed incident for toorc (pypi).

Description

On pip install (and even pip download), the package's setup.py overrides the install and egg_info commands to execute a RunCommand() routine that serializes every entry in os.environ into a key=value query string and captures the output of ps -elf. The combined payload is then POSTed via curl over plaintext HTTP to http://gjampdwmdjmppwedtkpbbdkq05f6iiz6r.oast.fun, a unique subdomain on the public interactsh out-of-band testing service. Any CI/build secrets present in the environment at install time (AWS_*, GITHUB_TOKEN, NPM_TOKEN, CI provider tokens, etc.) leak to the attacker-controlled OAST listener, along with a snapshot of running processes on the host.

During installation, the package exfiltrates env variables


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-ip-rotat

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • exfiltration-env-variables

  • typosquatting

Technical details

Affected versions

=0.0.1

Indicators

  • affected version=0.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents