MAL-2026-4777
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/xct-x-ayoub/MAL-2026-4777.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/MAL-2026-4777
- Published
- 2026-05-26T00:03:03Z
- Modified
- 2026-05-26T06:02:40.361399193Z
- Summary
- Malicious code in xct-x-ayoub (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (d33575d7ebb1fa670ce8a2f633471492b04319daffe0f1e10dd35841cf2709af)
On
import XcT_x_AyOuB, the package's top-level__init__.pyunconditionally starts a Flask HTTP server bound to 0.0.0.0:5000 (configurable via PORT) exposing /start, /stop, /restart, /settings endpoints that drive packet-flood ("spam") functionality against Free Fire game servers (loginbp.ggpolarbear.com, clientbp.ggpolarbear.com, client.{ind,us}.freefiremobile.com). The package ships accs.json containing ~300 third-party Garena Free Fire guest UID/password pairs that are not the installer's; core.py:initaccounts() loads these at startup and authenticates them via POST to https://100067.connect.garena.com/oauth/guest/token/grant (with TLS verification disabled, verify=False, and ssl.createunverifiedcontext()), then opens persistent sockets to Free Fire login servers. The advertised core function (_spamLoop in core.py) sends openRoom + N spmRoom packets per cycle through the bundled accounts' sockets to flood an attacker-supplied target UID's game room. Installer-side impact: (1) merely importing the package opens a LAN-reachable control surface that any network-adjacent caller can use to direct the installer's host into DoS traffic; (2) the installer's IP is used to authenticate and abuse third-party game accounts redistributed inside the package, attributing TOS-violating and potentially illegal traffic to them; (3) ~300 bundled third-party credentials are distributed to every installer. The package is purpose-built abuse tooling, not a dual-use library with a misuse risk. - Database specific
{ "malicious-packages-origins": [ { "modified_time": "2026-05-26T00:03:03Z", "id": "IN-MAL-2026-004801", "sha256": "d33575d7ebb1fa670ce8a2f633471492b04319daffe0f1e10dd35841cf2709af", "import_time": "2026-05-26T05:53:18.394355101Z", "source": "amazon-inspector", "versions": [ "1.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
PyPI / xct-x-ayoub
Package
- Name
- xct-x-ayoub
- View open source insights on deps.dev
- Purl
- pkg:pypi/xct-x-ayoub
Database specific
indicators
{
"package_integrity": [
{
"filename": "xct_x_ayoub-1.0.0-py3-none-any.whl",
"hashes": {
"sha256": "7a97bad8793cc9b86468cc71095cd15b0bf1dbf1756eb77626b4ca870b2ae06e",
"md5": "062ac4c7be36930504b38746feef8ac8",
"blake2b_256": "2a99c54ba6d1b7d63eedea71d3ba9e241ad4765953aa34959c01767368d88c3e"
}
},
{
"filename": "xct_x_ayoub-1.0.0.tar.gz",
"hashes": {
"sha256": "df1fe00df1ad0a9f7a504ebd37dc13c047123d1fbd4961d7550cc9a640e9610a",
"md5": "1aef54f39c57048ec322d8e17f35fe86",
"blake2b_256": "1800241a66ed2fb5e777cf4d2f33ae269badbff41cf29a2c66eef759ba448d22"
}
}
],
"evidence_files": [
{
"sha256": "b5e289316172cefb2c7ebb1412107be6a7cb5ef71dce77c0b93a5a9af4b9df47",
"path": "XcT_x_AyOuB/__init__.py",
"tlsh": "36f0c95525540c7b6b7ba56cb521072987b862234991dbacfd7c22ac2bac6a300a18f6"
},
{
"sha256": "304b0a52556bc6cb536e0f50569d246ae5b4cb431b0ebe8ceb628a5d120700bb",
"path": "XcT_x_AyOuB/accs.json",
"tlsh": "99e2c4e1d7360ecb180a5a88907028452a500767bd56b075371e6b8e4f5efef8c77acd"
},
{
"sha256": "6e18f245568cde3c3b35a58d166a51da22cb159eb2c8b3360bd8042b58603ef6",
"path": "XcT_x_AyOuB/core.py",
"tlsh": "a9b2e6a1aca164a3d753d46d94b6e504332a7c47c9196c78fdac83243fc81b891b19ff"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/xct-x-ayoub/MAL-2026-4777.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]