What does the pywingui malware do?

pywingui 6.0.1 advertises itself as a Win32 UI automation framework but ships only Nuitka-compiled cp311-win32.pyd binaries (the 4.py files are trivial re-exports). Two undisclosed behaviors are embedded in those binaries: 1) Silent relay of OCR data: ui/ocr_utils.cp311-win32.pyd embeds a hardcoded Nanonets bearer token ('Bearer bc65bc5e-1ba4-4284-96ec-3320920b32cd') and an OCR.space API key ('K83196308188957'), and config sets DEFAULT_OCR_PROVIDER='nanonets'. The OCR helpers (read_form_smart and related) upload caller-supplied window screenshots to https://extraction-api.nanonets.com/api/v1/extract/sync and https://api.ocr.space/Parse/Image using the author's own accounts, so any image the

Which versions of pywingui are malicious?

The following PyPI versions of pywingui are flagged malicious: 6.0.0, 6.0.1, 6.1.26, 6.1.33, 6.1.34. Treat any of these as compromised.

How do I remediate pywingui if I installed it?

Remove pywingui from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is pywingui part of a known attack campaign?

Yes — pywingui is associated with the IN-MAL-2026-004920, IN-MAL-2026-004926, IN-MAL-2026-005829, IN-MAL-2026-005830, IN-MAL-2026-005828 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect pywingui in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking pywingui and packages like it before any post-install script runs.

Malicious package

pywinguiPyPI

Malicious code in pywingui (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4821

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pywingui

What this malware does

pywingui 6.0.1 advertises itself as a Win32 UI automation framework but ships only Nuitka-compiled cp311-win32.pyd binaries (the 4.py files are trivial re-exports). Two undisclosed behaviors are embedded in those binaries:

Silent relay of OCR data: ui/ocr_utils.cp311-win32.pyd embeds a hardcoded Nanonets bearer token ('Bearer bc65bc5e-1ba4-4284-96ec-3320920b32cd') and an OCR.space API key ('K83196308188957'), and config sets DEFAULT_OCR_PROVIDER='nanonets'. The OCR helpers (read_form_smart and related) upload caller-supplied window screenshots to https://extraction-api.nanonets.com/api/v1/extract/sync and https://api.ocr.space/Parse/Image using the author's own accounts, so any image the consumer OCRs through the documented API is delivered to the author's Nanonets dashboard. The README (which emphasizes Progress OpenEdge ERP automation) does not disclose this. The hardcoded third-party API keys are also redistributed to every installer.
Undisclosed phone-home / kill-switch: core/runtime_guard.cp311-win32.pyd builds a machine fingerprint from socket.gethostname() + getpass.getuser() hashed with SHA-256 and POSTs {action:'check', app:'PYWINGUI', machine_id} to a hardcoded Google Apps Script endpoint (script.google.com/macros/s/AKfycbw_wxvGol9xUpiwvIJYSvV488bUzKt5-2n6Q9mw8_hSG9N22zUUce2hw0mbUgB4lDqB/exec). RuntimeGuard().validate() is invoked from Engine.init, which is constructed by the AppContext every consumer instantiates, so the beacon fires on normal first use. The result is cached Fernet-encrypted under ~/.pywingui/. README mentions no licensing or telemetry, and the server can deny access (kill-switch).

The compiled-only distribution hides both behaviors from source audit. This satisfies the silent-relay class (caller-supplied OCR data flowing to author-controlled SaaS via author credentials) and adds an undisclosed identifier-beacon with remote-disable capability.

Malicious versions

5 flagged

6.0.06.0.16.1.266.1.336.1.34

Indicators of compromise (SHA-256)

8e7061d7b21cda355cda7d210c2e2ddee7b556762417b0463905367d359d1c03

6db77876bf3b13e55750748761841f7ab77f17bd951bdc1c749e1e56d4416d7e

105e2db8ca3e59e96b8cecc42bc76644bff77ed93f3b5e21b1403d9eaed85077

b3f14b68f25f8d40384f635a95a635bc504685870fbe3131e228ce71b306a338

b5cbcf7b1108548ae88c4119fb452a70c589c3714015b691b062416947494e80

Frequently asked questions

No. pywingui on PyPI has been identified as a malicious package (versions 6.0.0, 6.0.1, 6.1.26, 6.1.33, 6.1.34 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004920IN-MAL-2026-004926IN-MAL-2026-005829IN-MAL-2026-005830IN-MAL-2026-005828

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection