MAL-2026-6560 Malicious code in tdata-grabber (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b4c3b37df5e3d08d7bc6ad736e0231ed0dc655640ffdf0dc403f4029ace2787 Package name explicitly declares its purpose as harvesting Telegram Desktop session data tdata directory. The tdata folder contains live authenticate...

PYSEC-2026-235 Malicious code in ppkt2synergy (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of ppkt2synergy were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates credentials an...

PYSEC-2026-234 Malicious code in phenopacket-store-toolkit (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of phenopacket-store-toolkit were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates...

PYSEC-2026-233 Malicious code in gpsea (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of gpsea were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates credentials and...

ROOT-APP-PYPI-CVE-2023-44271 CVE-2023-44271 in rootio-pillow - Patched by Root

Root has patched CVE-2023-44271 in the rootio-pillow package for Root:PyPI. Multiple fixed versions available...

PYSEC-2026-232 Malicious code in ensmallen (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of ensmallen were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload via the Bun runtime on import that harvests and exfiltrates credentials and...

ROOT-APP-PYPI-CVE-2026-24049 CVE-2026-24049 in rootio-wheel - Patched by Root

Root has patched CVE-2026-24049 in the rootio-wheel package for Root:PyPI. Multiple fixed versions available...

Malicious code in fkaks (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e44e1f1158eda01d3f18e3a3c01e30ebc9f8f92780ea532a63cf6ed31d8a25d3 fkaks 0.0.1 ships a setup.py that overrides the install and egginfo commands so that any pip install or pip download of the package unconditionally...

ROOT-APP-PYPI-CVE-2026-21860 CVE-2026-21860 in rootio-Werkzeug - Patched by Root

Root has patched CVE-2026-21860 in the rootio-Werkzeug package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2026-47265 CVE-2026-47265 in rootio-aiohttp - Patched by Root

Root has patched CVE-2026-47265 in the rootio-aiohttp package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2026-34993 CVE-2026-34993 in rootio-aiohttp - Patched by Root

Root has patched CVE-2026-34993 in the rootio-aiohttp package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2025-4565 CVE-2025-4565 in rootio-protobuf - Patched by Root

Root has patched CVE-2025-4565 in the rootio-protobuf package for Root:PyPI. Multiple fixed versions available...

GHSA-VMHF-C436-HXJ4 JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol

A malicious PyPI package can place a javascript: URL in its project.urls metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origi...

ROOT-APP-PYPI-CVE-2025-67221 CVE-2025-67221 in rootio-orjson - Patched by Root

Root has patched CVE-2025-67221 in the rootio-orjson package for Root:PyPI. Multiple fixed versions available...

MAL-2026-5875 Malicious code in myfirstpackagetestaaa (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c05b4934471efac919453e87b37a94a9a92c930455283c0bfb85b535c61f4a6b During installation, the code attempts to download and start a malicious executable. Likely related to 2025-08-raknet-testing-package. --- Category: MALICIOUS ...

Malicious code in aaaazzzzaz (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c1698c50a4706300296a442bbb0ae57280e870d8c83575d68218143e4ffd6645 During installation, the code attempts to download and start a malicious executable. Likely related to 2025-08-raknet-testing-package. --- Category: MALICIOUS ...

MAL-2026-5874 Malicious code in aaaazzzzaz (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c1698c50a4706300296a442bbb0ae57280e870d8c83575d68218143e4ffd6645 During installation, the code attempts to download and start a malicious executable. Likely related to 2025-08-raknet-testing-package. --- Category: MALICIOUS ...

ROOT-APP-PYPI-CVE-2026-41066 CVE-2026-41066 in rootio-lxml - Patched by Root

Root has patched CVE-2026-41066 in the rootio-lxml package for Root:PyPI. Multiple fixed versions available...

Malicious code in testpackagemanyhttpsgo (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 336f39e218fe5b5a09ef8ee7757efa7a0ca73c0fe6571bc232d735448499a950 At install time, setup.py fetches https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe via urllib, writes the response to disk, and executes it wit...

Vulnerable OpenSSL included in cryptography wheels

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in wheels prior to cryptograph 48.01 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20260609.txt. If yo...