Malicious code in btd-smart (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ad22b27351879a89349a1232ee5abb46bc589399ea710b9769526a8080b3199 The package presents itself as a clone of juliangruber/balanced-match stolen author identity 'Julian Gruber ', verbatim README, identical API renamed...

MAL-2026-3851 Malicious code in @antv/async-hook (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in env-threads (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfb511e0bf06367ec0341939aa68ee55859344c6ca6cb8d9f55f7e62cdcc8656 Package env-threads impersonates the legitimate dotenv package: its README, repository URL git://github.com/motdotla/dotenv.git, homepage, descriptio...

MAL-2026-3759 Malicious code in env-threads (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfb511e0bf06367ec0341939aa68ee55859344c6ca6cb8d9f55f7e62cdcc8656 Package env-threads impersonates the legitimate dotenv package: its README, repository URL git://github.com/motdotla/dotenv.git, homepage, descriptio...

Malicious code in apkeep (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d545ff7c3c178485cfb49d0028c4c808e67d0ee0fddcb4b7b195c943bb07d888 The package pretends to be a fork of a legitimate Rust library and uses the identity of the original authors. During usage, the obfuscated code targets...

Malicious code in mpkg123 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 df9e0498d827adeb16ea11e4a1137133d2124f039942b776f7ac098a257cd164 If executed as a module, the obfuscated code collects and exfiltrates sensitive data, including passwords saved in a browser. --- Category: MALICIOUS - The...

Malicious code in textwrap-ext (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 da4e8d5daae9a14e0ceb5a942afd308068957ec655cdd950b2b041934e9ec182 During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location and places a backdoor through a new authorized SSH key...

MAL-2026-3408 Malicious code in textwrap-ext (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 da4e8d5daae9a14e0ceb5a942afd308068957ec655cdd950b2b041934e9ec182 During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location and places a backdoor through a new authorized SSH key...

Malicious code in textwrap-toolkit (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 029e190fc99763d65a096339b29fa85aeb0a23c3818a632a2dd4dc99f3e8fd64 During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location and places a backdoor through a new authorized SSH key...

MAL-2026-3403 Malicious code in textwrap-formatter (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 18da24e92fd40457ad3df2af568c07d41b35f44e6e07e8fac3bf0eafba9c2154 During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location and places a backdoor through a new authorized SSH key...

MAL-2026-3396 Malicious code in ninja-core-optimizer (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fbe38f659a9fac5304f648aa594e12123221abd687755378f05b3efe17d6d4c7 During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location --- Category: MALICIOUS - The campaign has clearly maliciou...

MAL-2026-3372 Malicious code in ninja-core-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 65af5eaa02abf860465d0ee9e11d7b10e3e1e36473aec951f8c1ea38ed8a8560 During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location --- Category: MALICIOUS - The campaign has clearly maliciou...

Benchmarking Large Language Models for IoC Recovery under Adversarial Code Obfuscation and Encryption

Software obfuscation and encryption present persistent challenges for program comprehension and security analysis, particularly when adversaries conceal Indicators of Compromise IoCs such as IP addresses within source code. While Large Language Models LLMs have recently demonstrated remarkable...

MAL-2026-3015 Malicious code in lyroxcoder (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0aa87cfde7d0b832cd24067a43e94d812a4f5ce64541e219fb6aa6b7388939ab Heavy obfuscate code for extracting further obfuscate binaries and executing them using file less techniques. Some versions contain the executable embedded,...

MAL-2026-3002 Malicious code in lyrox (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a758a1be229d0656a639cd9e76cb14b3224260a08da87b6de28ff2bc4c1d48ba Heavy obfuscate code for extracting further obfuscate binaries and executing them using file less techniques. Some versions contain the executable embedded,...

Malicious code in asciitoart (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d91767b12efcd1ad71b86b8d6770f33ddd3f1bfdec795dc04fd1d743a63a4591 Through an obscure way, one of the package files got overwritten by a remote obfuscated code, which appears to be an infostealer. After executing the malicious...

Malicious code in kraken-trader (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4bf5ec6e8a6020de1e122cf07f2dde0f02fa1a484ff984586db379729da75523 The package is a loader of malicious code disguised as remote "credits" code. The remote location, built from the parts in the code, delivers highly obfuscated...

MAL-2026-2498 Malicious code in df-sandbox-test (npm)

Multiple evidences indicate malicious behaviors: data exfiltration, sensitive file access, obfuscated code, and suspicious network connections. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 97761ee82976dcee2c3d8438258e8ace733bec2d2c7e1020035e9e390f9fa02f The...

MAL-2026-2233 Malicious code in lightmock (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a3c7924362f935b55a808e1ede8ffea2dbc96326b853dc00d7ede36c002ff63c Clone of a legitimate package. During import, heavily obfuscate code downloads next stages and finally exfiltrates sensitive data, including data from web...

Malicious code in oc-navbar-module-client (npm)

Malicious package due to code obfuscation, dynamic code execution, suspicious email, install script, and low project popularity. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec0eedd88f7d05d96544d4fc778561471c0490c16f2fe2c6e8c70428af92e6ad The package...