MAL-2026-1085

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (e47981485066b674150cc4d9d3709e41707e69111f188e54e772becc7349ab89)

The package states to contain a modified curl library to allow low-level request modifications. However, there is also undisclosed malicious behavior:

The package installs a .pth file directly in the site-packages directory, effectively running a special code on each Python usage.
This code performs "TLS context warm-up" by contacting a URL (Github) in the background, in a separate process; this is suspicious on its own as it's unclear how a separate process can warm up further requests in the main process, but...
...besides the URL given in the code above, the library always contacts a hardcoded URL, identifying itself as a VPN client.

Additionally, there is no source code of the modified library anywhere, and the related Github hosting the package code account is 1-day old.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-02-ctf-toolkit

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

Affected Packages

ctf-toolkit

PyPI

Affected versions:

0.1.0

References

WEB

https://bad-packages.kam193.eu/pypi/package/ctf-toolkit

WEB

https://github.com/Wang-SecurityResearch/ctf_toolkit

WEB

https://web.archive.org/web/20260228111147/https://github.com/Wang-SecurityResearch