Malicious code in cpu-optimizers2-33 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 eb2ab5bcc8a1a35fbd4e5d9b19ac517134ea3fd497e66d7d7126089743804a1c Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

MAL-2026-2686 Malicious code in neverinstallme (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b5a369ecd7616b1dcdbeeca091c3b5bb9df2096c863fe89e9b45154708d5453a Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-2670 Malicious code in 7miners (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7501eb0620c75479fa4614362aaa6c5766c8cc2f3b4d8829db6a44ca086cc374 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

Malicious code in buildenv-telemetry (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e56999171c1a81c357cd2b0847497fac643313bd0252be55a1d03cd40be48c1d Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-2665 Malicious code in hive-os-settings (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 27052e523741d1d8f29aaadcd3735affbdeaa919d6fad2d0ff01ce878d6e5637 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

MAL-2026-2623 Malicious code in hive-setting (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 94c174f9e83b72e5aaafbb1587d41384786cd29b4e9b69d097117d8c7b403771 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

MAL-2026-2546 Malicious code in hex2pcap (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e634909fd8dcb36401b0272dad2f87486457c32c1283145dfb76d402fff41c2c Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in robase (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f128f86ab257491fc121f6b5d630cf37776085c139f199ec930ec16a31691855 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

MAL-2026-2534 Malicious code in siempyl-sumo (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 493e667735febe5b3e4cd2cc47ae0b5a09ddacf051dc2804e5e742574ceb5ec4 Dependency confusion attempt. The user identifies themselves as a HackerOne user abusing the PyPI for the purpose of a bug bounty program. This package did not...

Malicious code in noonhelpers (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c2cb54ce39fd435f904d72dbbb5eef46166291adcd5106ea8d74d3c3c66aa3a5 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-2521 Malicious code in gc-grocery-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c6b836daf5ca49f42a298b7400842dda9e2b648326ba12651c7e968459ca12c5 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2026-2515 Malicious code in granulate-utils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 66679376251511e42a5b07462c7888555488f21e228e7b0b0e353db43256d569 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. "The threat actor's packages were designed to impersonate legitimate developer tooling ..., while quietly functioning as...

MAL-2026-2506 Malicious code in @fairwords/encryption (npm)

The @fairwords/encryption package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+ environment variab...

MAL-2026-2508 Malicious code in @fairwords/websocket (npm)

The @fairwords/websocket package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+ environment variabl...

How LiteLLM Turned Developer Machines Into Credential Vaults for Attackers

The most active piece of enterprise infrastructure in the company is the developer workstation. That laptop is where credentials are created, tested, cached, copied, and reused across services, bots, build tools, and now local AI agents. In March 2026, the TeamPCP threat actor proved just how...

Malicious code in gangomodule (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8117683c90fb188f9fc013b3b3006dc5e31269d2511dd7c80eea9ac7b6892d09 During installation, obfuscated code validates the environment against typical sandboxing signs and attempts to download the next stages from remote sources. T...

Malicious code in pycolorlib3 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 22c84d1bcfac7d68fb2db1c9610d281372db5e2ef93edb1a90903c6a6b772e6c During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

MAL-2026-2431 Malicious code in nwin32tls (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a47778618cad57dbc584afdff7ed138032b69c423a9812e1bc8f86c13129f01d Importing the module starts a loop that listens to key strokes and on every capslock press exfiltrates screenshot to a hardcoded location. --- Category:...

Malicious code in eht-account (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7e1fa4f35985059ad18e3e325fc65e1d25a5692cc9690a4b15af2d76492b95fe Clones of a legitimate library. During processing the private key, it's getting exfiltrated. --- Category: MALICIOUS - The campaign has clearly malicious inten...