Malicious code in tgeffect (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e254217ac113edcc1914bdfcda06509137ceed6a7441b3c846653d769335bcaa Importing the module starts obfuscated code which then look for data related to some Telegram clients and attempt to exfiltrate them --- Category: MALICIOUS -...

Malicious code in tikweb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: oracle-using-macaron 56e420aab6cf451bf10ab865d2950af02e45914f0a7618355f7ee8384ddcd858 This malicious package claims to interact with TikTok web features programmatically, but runs malicious obfuscated code upon import and via other...

MAL-2025-47875 Malicious code in tikweb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: oracle-using-macaron 56e420aab6cf451bf10ab865d2950af02e45914f0a7618355f7ee8384ddcd858 This malicious package claims to interact with TikTok web features programmatically, but runs malicious obfuscated code upon import and via other...

New SVG-based phishing campaign is a recipe for disaster

We've written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing. For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in...

VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics SVG files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal, are distributed via email and designed to execute an embedded...

Malicious code in hashstation (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c4f136247c8a57eee83a1a36ee355c982d900b5f5b570a0936dc1df68db6d5f2 When using methods from the package, it downloads an obfuscated code from Github and puts it in multiple localisation. While it appears that this code is used ...

Malicious code in pycrackhash (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b3323afe460298d80a354497acdd641752c5fb6bce2dce3d7e7625d7a46f1d7c When using methods from the package, it downloads an obfuscated code from Github and puts it in multiple localisation. While it appears that this code is used ...

Malicious code in tensorflowjs (npm)

Package is malicious due to code obfuscation, arbitrary command execution via childprocess.spawn, and suspicious postinstall script. --- -= Per source details. Do not edit below this line.=-...

Malicious code in is (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a1baf574e6278b3c20c30fdd7875414ed04c1a695eb226fd43328004c6916873 "is" had unauthorized new versions published that contained malicious obfuscated code via account compromise...

MAL-2025-6020 Malicious code in is (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a1baf574e6278b3c20c30fdd7875414ed04c1a695eb226fd43328004c6916873 "is" had unauthorized new versions published that contained malicious obfuscated code via account compromise...

MAL-2025-191771 Malicious code in jython-file (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fc56f6ba4b75b25d4289c3aa3cb1d05f9b1d7bbfacf00b11e270d76ba87a1a3e Package attempts to load in an obfuscated way a code from a file not included in the package as well as inject a dynamic library to the Python dynamic libs...

SharPyShell

SharPyShell SharPyShell is a tiny and obfuscated ASP.NET webshell that executes commands received by an encrypted channel compiling them in memory at runtime. SharPyShell supports only C web applications that runs on .NET Framework = 2.0VB is not supported atm. Usage python3 SharPyShell.py genera...

MAL-2025-5829 Malicious code in node-mongoose-orm (npm)

The package employs typosquatting to impersonate a legitimate author and package, and it contains obfuscated code that exfiltrates sensitive user data and creates a backdoor for remote code execution, The core of the malicious activity is found in the package/lib/writer.js file. The lib/writer.js...

Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month

Cybersecurity researchers are calling attention to a "large-scale campaign" that has been observed compromising legitimate websites with malicious JavaScript injections. According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an "esoteric and...

Malicious code in caixaequ2ahzoop (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 da1d699d5d12de135ae0da4180622e30084a77fd76ee5cd36fe5667ce14c4bbe Obfuscated code gets a command from the remote target and executes it. At the time of the test, it was just "whoami". Thus, it's rather just an experiment ---...

Malicious npm Package Leverages Unicode Steganography, Google Calendar as C2 Dropper

Cybersecurity researchers have discovered a malicious package named "os-info-checker-es6" that disguises itself as an operating system information utility to stealthily drop a next-stage payload onto compromised systems. "This campaign employs clever Unicode-based steganography to hide its initia...

Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack

Cybersecurity researchers have discovered three malicious Go modules that include obfuscated code to fetch next-stage payloads that can irrevocably overwrite a Linux system's primary disk and render it unbootable. The names of the packages are listed below - github.com/truthfulpharm/prototransfor...

MAL-2025-191816 Malicious code in pretty-cli-logger (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 94cd11911ce2a0937d9e56087ce9487db18da5bb20df7f1f8948f8356d65c31d Contains an obfuscated code that will download and run a remote script. At the time of the analysis, the remote URLs were delivering empty results --- Category...

Nine-Year-Old npm Packages Hijacked to Exfiltrate API Keys via Obfuscated Scripts

Cybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems. "Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate...

MAL-2025-191836 Malicious code in pyrovider (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a346a7f634bedd557ab051ccf33b892a2b6420a97c426a877476b7a66b1acf55 On importing the module, package exfiltrates basic data like username. It's obfuscated with a lot of meaningless text and has no other purpose --- Category:...