MAL-2026-5089 Malicious code in cryptolock (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b0140fddafadce54debaca7d9591e2770acd987aaf90ec7008b4ae4cf301c233 During installation, the code tamper with security settings and downloads and executes malicious executable. --- Category: MALICIOUS - The campaign has clearly...

MAL-2026-5029 Malicious code in modulebuild3240234t (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4d5962bd4c41d59c276f1fa132030098e557dee6bfe0b0a368a952f70d217287 The package contains an infostealer targeting the Roblox ecosystem. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers...

MAL-2026-4820 Malicious code in datapipe-util (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 74a9da1afe75ec2379c4bade6ac5145c920900e1a1e1173d59b9003061e3fb0f The package intentionally uses the malicious binproto package deploying the malware. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2026-4208 Malicious code in mnemonic-safety-check (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

MAL-2026-4124 Malicious code in @lint-md/core (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/f6 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3697 Malicious code in syntaxlogger (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ebc8a65895fc09c10b6e6bf23926076ec575582e80e084616e6779b091df947d When using the provided functionality, code silently downloads archives with executables to a location excluded from A scanning, and then executes them. The...

Fake Claude Code Installer Targets Developers With Browser Credential Stealer

Researchers at Ontinue have discovered an undocumented malware campaign targeting developers with fake Claude Code installers to steal browser passwords and cookies...

Malicious code in xxx-bale (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1109b5dc74c94551027044e54e20f9c1c18f89d53da6af87861ba4773eae1966 The package contains code to install remotely stored malware and ensure its persistence. The code is not triggered automatically; it requires a separate trigge...

Malicious code in rostilesolver (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 eef0922e5bb8ba3371baad4b76542215ff15e445a9d6ed6fb5546230fe5da4df During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Supply Chain Campaign Targets SAP npm Packages with Credential-Stealing Malware

Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign - Mini Shai Hulud...

Malicious code in robase-start (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 827cc431e55560fd4944d6b7fa6c47e6adb5027a75fe949642630843b0c8702e During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Malicious code in fetch-data-api-syncapi (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 dda63ba0d0dbd4ddf1d89523cacf89d51ffc9a25891e38cb49a9e424721fba9d The package contains code to download and start a malicious executable. It's masqueraded using name similar to Windows services. In analyzed versions, the code...

MAL-2026-2863 Malicious code in rblx-studio-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0984290664d514183109c836bea6a2bda03e33f89563accc6c79a51e281688f8 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

MAL-2026-2860 Malicious code in mylib-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8cc746751844570c4d9de0acc1fc4aba45c1316434c664fc70711749720f88f1 During import, a remote executable is automatically started. During analysis, the executable only showed a basic message. It's likely experimenting with...

MAL-2026-2842 Malicious code in looopiw (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9d2af7de30ed37363dcd3ac8e41e0ff2987d97ec742dd973a2f95158c6f0f185 Starting the module activates a hardcoded telegram bot allowing remote code execution, data exfiltration, collecting webcam photos, clipboard data, etc. ---...

MAL-2026-2671 Malicious code in kryptex-os (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 034201cad27492b279f5c274a5091b2e617da50f27125c7774db069256b3486e Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

JanelaRAT: a financial threat targeting users in Latin America

Background JanelaRAT is a malware family that takes its name from the Portuguese word "janela" which means "window". JanelaRAT looks for financial and cryptocurrency data from specific banks and financial institutions in the Latin America region. JanelaRAT is a modified variant of BX RAT that has...

MAL-2026-2556 Malicious code in api-analysis (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c3bf88cef3ca699f69bada95749b40c4426c9a9c528e53c473698be88cbdc783 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Malicious code in api-analysis (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c3bf88cef3ca699f69bada95749b40c4426c9a9c528e53c473698be88cbdc783 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...