MAL-2026-4162 Malicious code in vfat (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 625cd870f2a5de965448b7d69832d398b1bf789babe34a594e8724c5bc42ef48 The package exfiltrates sensitive files and env variables --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

MAL-2026-3835 Malicious code in solana-web3-alt (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b3846bb2c80cb984e05f37cddc24548b73067be9aaca692e401a06f7c323e7b9 In specific environments, the package triggers silent code execution during installation. The code to execute is not included in the package. --- Category:...

GHSA-WX9M-WX4F-4CMG Malicious dropper in mistralai 2.4.6 PyPI package

The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes on import on Linux. No v2.4.6 tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was 2.4.5, and the upload bypassed this repository's normal release...

CLEANSTART-2026-SY44974 Security fixes for CVE-2015-20107, CVE-2015-2104, CVE-2019-16056, CVE-2019-16935, CVE-2019-20907, CVE-2019-5010, CVE-2020-14422, CVE-2020-8492, CVE-2021-23336, CVE-2021-29921, CVE-2021-3177, CVE-2022-45061, CVE-2023-27043, CVE-2024-6232, CVE-2024-6923, CVE-2025-59375, CVE-2026-3219, CVE-2026-6357 applied in versions: 3.10.5-r0, 3.11.1-r0, 3.11.5-r0, 3.12.12-r0, 3.12.13-r0, 3.12.3-r2, 3.12.6-r0, 3.6.8-r1, 3.7.5-r0, 3.8.2-r0, 3.8.4-r0, 3.8.5-r0, 3.8.7-r2, 3.8.8-r0, 3.9.4-r0, 3.9.5-r0

Multiple security vulnerabilities affect the python3 package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-EQ71754 Security fixes for CVE-2024-6345, CVE-2025-47273, CVE-2025-59375 applied in versions: 3.11.14-r0

Multiple security vulnerabilities affect the python3 package. These issues are resolved in later releases. See references for individual vulnerability details...

BIT-GITLAB-2026-3073 Authorization Bypass Through User-Controlled Key in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to...

[SECURITY] Fedora 42 Update: uv-0.11.11-1.fc42

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

[SECURITY] Fedora 43 Update: uv-0.11.11-1.fc43

An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...

airalogy-engine (=0.0.2) potentially affected by CVE-2026-46703 via boxlite (=0.8.2)

boxlite PYPI version =0.8.2 is affected by a known vulnerability. The following packages have a transitive dependency on boxlite and may be impacted: - airalogy-engine =0.0.2 Source cves: CVE-2026-46703 Source advisory: SNYK:PYTHON-BOXLITE-16787374...

Linux Distros Unpatched Vulnerability : CVE-2026-42266

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the...

BIT-JUPYTERLAB-2026-42266 JupyterLab has an Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager allowedextensionsuris is not correctly enforced by JupyterLab. The Py...

MAL-2026-3746 Malicious code in jatinangor-teleport-testing-zer0id (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 34c3a001b297d2dfcc37259733ff95ded758a3a89d63331422f239359c60edd2 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Important: python-pip

Issue Overview: pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update...

MAL-2026-3743 Malicious code in sol-batch-transfer-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 dab4fb850a1ce0b83f1e7f74ce0281ca8309031037355f9a247dbd0a715eab4d The code silently adds a hardcoded address to the list of transfer recipients. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

hubzoid (>=0.2.2 <=0.4.5), openwebui-token-tracking (>=0.1.7 <=0.1.10) +1 more potentially affected by CVE-2026-45396 via open-webui (>=0.6.0 <=0.8.8)

open-webui PYPI version =0.6.0, =0.2.2, =0.1.7, =0.1.0, =0.1.5 Source cves: CVE-2026-45396 Source advisory: OSV:GHSA-RJMP-VJF2-QF4G...

Malicious code in tronpath (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d9ca86850c4078f14665d6f5bafabc8d794a480a5d990c8a697bc2019869005d Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...

MAL-2026-3742 Malicious code in tronpath (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d9ca86850c4078f14665d6f5bafabc8d794a480a5d990c8a697bc2019869005d Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...

Malicious code in pyexecutorsme (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 326ad16be9056f6cbd75fa4f9a47dec8c3613b56aa53d3e5d439efeef7c6fcad Package attempts to download and execute a script acting as remote access trojan. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2026-3741 Malicious code in pyexecutorsme (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 326ad16be9056f6cbd75fa4f9a47dec8c3613b56aa53d3e5d439efeef7c6fcad Package attempts to download and execute a script acting as remote access trojan. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

a-mailx (=0.1.0), ai-shell (>=0.1.0 <=1.0.4) +139 more potentially affected by CVE-2026-44899 via mistune (>=3.0.0 <=3.2.0)

mistune PYPI version =3.0.0, =0.1.0, =0.9.5, =3.0.0, =3.2.1b1, =1.0.1, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =0.1.0, =0.0.2, =1.0.0.1, =0.0.1, =0.0.5 and more Source cves: CVE-2026-44899 Source advisory: SNYK:PYTHON-MISTUNE-16697357...