18 matches found
Malicious code in ts-bn-proto (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address data-stream.space, executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet...
MAL-2026-6694 Malicious code in thirdwebb (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwebb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's...
Malicious code in polymarket-trading-developer-tools (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-trading-developer-tools uses a dropper technique: a postinstall hook downloads configuration from pm-trading-dev-tools-be.vercel.app and exfiltrates data to the...
Malicious code in thirdwb (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's...
Malicious code in decimal-format-core (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. decimal-format-core uses a dropper technique: a postinstall hook executes scripts/install-check.cjs at install time, which fetches a second-stage infostealer payload from the C2 domain logstream-api.online...
MAL-2026-5292 Malicious code in bittensor-burn-watch (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16180f1609731d35398f11dbfcb328826d2e39a7acf42fc256b563512645e6e5 Package advertises itself as a Bittensor subnet burn-rate monitor but bundles a live TELEGRAMBOTTOKEN and TELEGRAMCHATID in...
Malicious code in clip-logger (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 0ee6244e4630a085f305c933f50283a232dda9e0d8e0ba3bab2bb880e53a736d The package contains code to steal clipboard content to a predefined remote location. If run in the right way, the code will periodically check the clipboard a...
Malicious code in databaseroboats (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 758a06f15ef5917ecf964bae5fa46f084b028b69c8dd133acb90da972f6a6f09 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...
MAL-2026-2143 Malicious code in roboated (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 0c9f3bba9c27e61fbe6934c9d130ada39dd87f7b7c376fe33609be1ecbaf96e2 During installation, a malicious remote executable is downloaded and run --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers...
Malicious code in roboat (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f04db4869c9e981873683b537f335c1f25c7c17c283315859699855a9c20816b During installation, the code attempts to download and start malware. Connected with the campaign based on the time correlation and other packages published by...
MAL-2026-2121 Malicious code in roboat (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f04db4869c9e981873683b537f335c1f25c7c17c283315859699855a9c20816b During installation, the code attempts to download and start malware. Connected with the campaign based on the time correlation and other packages published by...
Malicious code in auto-backup-wsl (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 a2df4191bfbdaa28acd42677c912064639ef3b278179beee064cd83fb5b0e11e Package performs a "backup" of files to a remote location. This functionality is clearly described, but the user has no control over the remote location where...
MAL-2025-192605 Malicious code in trondec (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 d4efad56ea7992fa8744736bf9f7b5e8eee6a521109819f7b841eb3f1ea91bbc Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...
MAL-2025-192386 Malicious code in telcoo (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 c96937a82adce2ecc6628245fd858587131511b4145c04f577ec25d8fa846577 Running the module starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-12-evil-rce...
Malicious code in jsonschemex (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 21f678f82847db32c68ab5a95a827f755d13b5d4cd371667eb584f25ed28ed01 Malicious clone of a legitimate package with hidden code that downloads the next stage scripts. Analysed payloads had just exfiltrated basic infos --- Category...
Malicious code in terminalcolornew (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 5a555882888b9895fbe7575cc6121cad44600e17fb64d7551cacc33b29f2ae9f If used, the code attempts to take a photo using the computer's camera and exfiltrates it --- Category: MALICIOUS - The campaign has clearly malicious intent,...
MAL-2025-191778 Malicious code in kraken123 (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 dc2f76a61af953726f4fc219f725013ce8b477860b47433b7fc0444994ffcfd5 As even described, the package contains a malicious code collecting large amount of data. The description suggests educational use, yet, the code can cause rea...
BitRAT Now Sharing Sensitive Bank Data as a Lure
Introduction In June of 2022 Qualys Threat Research Unit TRU wrote an in-depth report on Redline, a commercial off the shelf infostealer that spreads via fake cracked software hosted on Discord’s content delivery network. Since then, we have continued to track similar threats to identify their...