Malicious PyPI package backdoors installs via remote code download

TL;DR — The photo-extractor package on PyPI was flagged as malicious and designed to pull and run remote payloads, creating a supply-chain backdoor risk for any environment that installed it.

What happened

photo-extractor is a Python package distributed via PyPI. OSV has published MAL-2026-2488 classifying photo-extractor as MALICIOUS, describing it as a clone of a legitimate library with malicious modifications intended to download and execute remote code.

Per the OSV record, the remote script "allows executing arbitrary files" using Telegram as a C2 channel, and the package installs a generic entry point that triggers the malicious behavior.

This is operationally high risk because malicious package releases frequently land via routine dependency updates (CI builds, container rebuilds, developer installs) and can exfiltrate secrets or establish persistence before detection.

Who is impacted

• Any environment that installed photo-extractor from PyPI, particularly version 2.33.0 (the version explicitly listed in the OSV "origins" metadata).
• CI/CD runners, developer workstations, and production build systems that allow outbound network access during dependency installation.

What to do now

• Inventory and remove photo-extractor from dependency manifests/lockfiles and identify any installations of version 2.33.0 across dev, CI, and production build environments.
• If you confirm installation/execution, treat affected hosts and credentials as potentially compromised:
  • Rotate secrets accessible to the impacted runtime (CI tokens, cloud keys, deployment credentials).
  • Review egress/network telemetry for suspicious outbound connections around install time.
• Add detections for the reported URLs/IOCs from the OSV record in proxy/DNS logs and endpoint telemetry.
• For future resilience, tighten dependency ingestion controls (pinned lockfiles, allowlisted registries, and reduced/controlled install-time network egress in CI).