MAL-2026-6488: Malicious code in pyext6cc8cd (PyPI)
The pyext6cc8cd package version 1.0.0 on PyPI contains malicious code in its setup.py that executes arbitrary commands during installation. Specifically, it decodes a hex string to run the macOS Calculator application via subprocess.Popen unconditionally before the package setup completes. This behavior demonstrates that the package runs untrusted code at install time, posing a risk of arbitrary command execution. The package metadata is placeholder and it contains no functional code, indicating it is a proof-of-concept or test artifact. The obfuscation technique used to hide the command is designed to evade detection by scanners. While the current payload is benign, it could be replaced with destructive or data-exfiltration commands.
AI Analysis
Technical Summary
The pyext6cc8cd PyPI package version 1.0.0 includes malicious code in its setup.py file that executes an arbitrary shell command during installation. The command is obfuscated as a hex string which decodes to 'open -a Calculator' on macOS and is executed via subprocess.Popen before setuptools.setup() is called. This unconditional execution of code at install time allows arbitrary command execution by anyone installing this package. The package contains no legitimate functionality and uses placeholder metadata, indicating it is a proof-of-concept malicious package. The obfuscation technique is intended to bypass static detection methods that look for literal command strings in setup.py files.
Potential Impact
Any user installing pyext6cc8cd version 1.0.0 on macOS will have the arbitrary command 'open -a Calculator' executed on their system during installation. Although the current payload is benign, the technique allows an attacker to run any arbitrary commands with the privileges of the user performing the install, which could lead to compromise, data exfiltration, or system damage if modified. This represents a direct risk of arbitrary code execution during package installation.
Mitigation Recommendations
No official patch or fix is available for this package version. Users should avoid installing pyext6cc8cd version 1.0.0 from PyPI. Treat this package as untrusted and do not install it. Use trusted sources and verify package integrity before installation. Consider using tools that detect or block packages with install-time code execution. Monitor for updates from PyPI or the package maintainer for any remediation.
MAL-2026-6488: Malicious code in pyext6cc8cd (PyPI)
Description
The pyext6cc8cd package version 1.0.0 on PyPI contains malicious code in its setup.py that executes arbitrary commands during installation. Specifically, it decodes a hex string to run the macOS Calculator application via subprocess.Popen unconditionally before the package setup completes. This behavior demonstrates that the package runs untrusted code at install time, posing a risk of arbitrary command execution. The package metadata is placeholder and it contains no functional code, indicating it is a proof-of-concept or test artifact. The obfuscation technique used to hide the command is designed to evade detection by scanners. While the current payload is benign, it could be replaced with destructive or data-exfiltration commands.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The pyext6cc8cd PyPI package version 1.0.0 includes malicious code in its setup.py file that executes an arbitrary shell command during installation. The command is obfuscated as a hex string which decodes to 'open -a Calculator' on macOS and is executed via subprocess.Popen before setuptools.setup() is called. This unconditional execution of code at install time allows arbitrary command execution by anyone installing this package. The package contains no legitimate functionality and uses placeholder metadata, indicating it is a proof-of-concept malicious package. The obfuscation technique is intended to bypass static detection methods that look for literal command strings in setup.py files.
Potential Impact
Any user installing pyext6cc8cd version 1.0.0 on macOS will have the arbitrary command 'open -a Calculator' executed on their system during installation. Although the current payload is benign, the technique allows an attacker to run any arbitrary commands with the privileges of the user performing the install, which could lead to compromise, data exfiltration, or system damage if modified. This represents a direct risk of arbitrary code execution during package installation.
Mitigation Recommendations
No official patch or fix is available for this package version. Users should avoid installing pyext6cc8cd version 1.0.0 from PyPI. Treat this package as untrusted and do not install it. Use trusted sources and verify package integrity before installation. Consider using tools that detect or block packages with install-time code execution. Monitor for updates from PyPI or the package maintainer for any remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6488
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7e027e9c7971902c50d
Added to database: 06/26/2026, 22:06:24 UTC
Last enriched: 06/26/2026, 22:42:13 UTC
Last updated: 06/26/2026, 22:42:13 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.