{"id":"MAL-2026-4777","summary":"Malicious code in xct-x-ayoub (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d33575d7ebb1fa670ce8a2f633471492b04319daffe0f1e10dd35841cf2709af)\nOn `import XcT_x_AyOuB`, the package's top-level `__init__.py` unconditionally starts a Flask HTTP server bound to 0.0.0.0:5000 (configurable via PORT) exposing /start, /stop, /restart, /settings endpoints that drive packet-flood (\"spam\") functionality against Free Fire game servers (loginbp.ggpolarbear.com, clientbp.ggpolarbear.com, client.{ind,us}.freefiremobile.com). The package ships accs.json containing ~300 third-party Garena Free Fire guest UID/password pairs that are not the installer's; core.py:init_accounts() loads these at startup and authenticates them via POST to https://100067.connect.garena.com/oauth/guest/token/grant (with TLS verification disabled, verify=False, and ssl._create_unverified_context()), then opens persistent sockets to Free Fire login servers. The advertised core function (_spamLoop in core.py) sends openRoom + N spmRoom packets per cycle through the bundled accounts' sockets to flood an attacker-supplied target UID's game room. Installer-side impact: (1) merely importing the package opens a LAN-reachable control surface that any network-adjacent caller can use to direct the installer's host into DoS traffic; (2) the installer's IP is used to authenticate and abuse third-party game accounts redistributed inside the package, attributing TOS-violating and potentially illegal traffic to them; (3) ~300 bundled third-party credentials are distributed to every installer. The package is purpose-built abuse tooling, not a dual-use library with a misuse risk.\n","modified":"2026-05-26T06:02:40.361399193Z","published":"2026-05-26T00:03:03Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"sha256":"d33575d7ebb1fa670ce8a2f633471492b04319daffe0f1e10dd35841cf2709af","id":"IN-MAL-2026-004801","import_time":"2026-05-26T05:53:18.394355101Z","source":"amazon-inspector","modified_time":"2026-05-26T00:03:03Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/XcT-x-AyOuB/1.0.0/"}],"affected":[{"package":{"name":"xct-x-ayoub","ecosystem":"PyPI","purl":"pkg:pypi/xct-x-ayoub"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/xct-x-ayoub/MAL-2026-4777.json","indicators":{"package_integrity":[{"hashes":{"blake2b_256":"2a99c54ba6d1b7d63eedea71d3ba9e241ad4765953aa34959c01767368d88c3e","sha256":"7a97bad8793cc9b86468cc71095cd15b0bf1dbf1756eb77626b4ca870b2ae06e","md5":"062ac4c7be36930504b38746feef8ac8"},"filename":"xct_x_ayoub-1.0.0-py3-none-any.whl"},{"hashes":{"md5":"1aef54f39c57048ec322d8e17f35fe86","sha256":"df1fe00df1ad0a9f7a504ebd37dc13c047123d1fbd4961d7550cc9a640e9610a","blake2b_256":"1800241a66ed2fb5e777cf4d2f33ae269badbff41cf29a2c66eef759ba448d22"},"filename":"xct_x_ayoub-1.0.0.tar.gz"}],"evidence_files":[{"sha256":"b5e289316172cefb2c7ebb1412107be6a7cb5ef71dce77c0b93a5a9af4b9df47","tlsh":"36f0c95525540c7b6b7ba56cb521072987b862234991dbacfd7c22ac2bac6a300a18f6","path":"XcT_x_AyOuB/__init__.py"},{"tlsh":"99e2c4e1d7360ecb180a5a88907028452a500767bd56b075371e6b8e4f5efef8c77acd","sha256":"304b0a52556bc6cb536e0f50569d246ae5b4cb431b0ebe8ceb628a5d120700bb","path":"XcT_x_AyOuB/accs.json"},{"tlsh":"a9b2e6a1aca164a3d753d46d94b6e504332a7c47c9196c78fdac83243fc81b891b19ff","sha256":"6e18f245568cde3c3b35a58d166a51da22cb159eb2c8b3360bd8042b58603ef6","path":"XcT_x_AyOuB/core.py"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}