MAL-2026-6489: Malicious code in extra-huggingface (PyPI)
The extra-huggingface package on PyPI is a malicious typosquatting package impersonating the Hugging Face ecosystem. It contains a remote access trojan (RAT) implemented via a large native Windows binary that connects to an attacker-controlled server to receive and execute commands. The package installs persistence mechanisms to survive system reboots and exfiltrates sensitive data, including browser information. It masquerades as an educational tool but is designed for malicious purposes such as data theft and unauthorized remote control.
AI Analysis
Technical Summary
The extra-huggingface PyPI package (version 0.4.0) is a malicious package that impersonates the Hugging Face ecosystem to lure machine learning developers. It includes a native Windows PE module (_native.pyd) that implements a remote access trojan (RAT). The Python code acts as a thin wrapper exposing functions to run the agent, install persistence, and communicate with a hardcoded attacker-controlled server at 91.92.40.212:8080. The agent polls this server to receive commands and maintains persistence by registering itself to run after login or boot. The package exfiltrates sensitive data, including browser data, and is classified as a malicious campaign involving typosquatting, native extensions, persistence, and infostealing.
Potential Impact
Systems that install and run this package are compromised by a remote access trojan that allows attackers to execute arbitrary commands remotely. The malware establishes persistence to survive reboots and exfiltrates sensitive user data, including browser information. This leads to unauthorized data disclosure and full remote control of the affected machine.
Mitigation Recommendations
No official patch or fix is available since this is a malicious package rather than a vulnerability in legitimate software. The recommended mitigation is to avoid installing the extra-huggingface package, especially from untrusted sources. Users should verify package authenticity before installation and remove any instances of this package if found. Security teams should monitor for and block connections to the hardcoded malicious server IP 91.92.40.212. Since this is a malicious typosquat, educating users about typosquatting risks and verifying package names is critical.
MAL-2026-6489: Malicious code in extra-huggingface (PyPI)
Description
The extra-huggingface package on PyPI is a malicious typosquatting package impersonating the Hugging Face ecosystem. It contains a remote access trojan (RAT) implemented via a large native Windows binary that connects to an attacker-controlled server to receive and execute commands. The package installs persistence mechanisms to survive system reboots and exfiltrates sensitive data, including browser information. It masquerades as an educational tool but is designed for malicious purposes such as data theft and unauthorized remote control.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The extra-huggingface PyPI package (version 0.4.0) is a malicious package that impersonates the Hugging Face ecosystem to lure machine learning developers. It includes a native Windows PE module (_native.pyd) that implements a remote access trojan (RAT). The Python code acts as a thin wrapper exposing functions to run the agent, install persistence, and communicate with a hardcoded attacker-controlled server at 91.92.40.212:8080. The agent polls this server to receive commands and maintains persistence by registering itself to run after login or boot. The package exfiltrates sensitive data, including browser data, and is classified as a malicious campaign involving typosquatting, native extensions, persistence, and infostealing.
Potential Impact
Systems that install and run this package are compromised by a remote access trojan that allows attackers to execute arbitrary commands remotely. The malware establishes persistence to survive reboots and exfiltrates sensitive user data, including browser information. This leads to unauthorized data disclosure and full remote control of the affected machine.
Mitigation Recommendations
No official patch or fix is available since this is a malicious package rather than a vulnerability in legitimate software. The recommended mitigation is to avoid installing the extra-huggingface package, especially from untrusted sources. Users should verify package authenticity before installation and remove any instances of this package if found. Security teams should monitor for and block connections to the hardcoded malicious server IP 91.92.40.212. Since this is a malicious typosquat, educating users about typosquatting risks and verifying package names is critical.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6489
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7ce27e9c79719002078
Added to database: 06/26/2026, 22:06:06 UTC
Last enriched: 06/26/2026, 22:36:57 UTC
Last updated: 06/26/2026, 22:36:57 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.