{"id":"MAL-2026-1000","summary":"Malicious code in scraper-npm (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (5705e85e8288aeffbfe964329624dcbb5b2e30cebb0023da5b605ee5fb0aef4e)\nDuring import, the package exfiltrates files (especially .env and JSON) and eventually configures a backdoor by adding its own SSH key to the authorized_keys.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-scraper-npm\n\n\nReasons (based on the campaign):\n\n\n - files-exfiltration\n\n\n - backdoor\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n","modified":"2026-02-23T10:03:19.461917Z","published":"2026-02-23T08:59:49Z","database_specific":{"iocs":{"urls":["https://api.bensaru.site/api/validate/files"],"domains":["api.bensaru.site","bensaru.site"]},"malicious-packages-origins":[{"id":"pypi/2026-02-scraper-npm/scraper-npm","sha256":"5705e85e8288aeffbfe964329624dcbb5b2e30cebb0023da5b605ee5fb0aef4e","versions":["1.0.4"],"import_time":"2026-02-23T09:23:51.901509003Z","source":"kam193","modified_time":"2026-02-23T08:59:49.553899Z"},{"id":"pypi/2026-02-scraper-npm/scraper-npm","sha256":"d7f20e2472b63356859f93d837362f5473465c3bfe950dc41183d41aa2790d67","versions":["1.0.4"],"import_time":"2026-02-23T09:49:38.141206339Z","source":"kam193","modified_time":"2026-02-23T08:59:49.553899Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/scraper-npm"}],"affected":[{"package":{"name":"scraper-npm","ecosystem":"PyPI","purl":"pkg:pypi/scraper-npm"},"versions":["1.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/scraper-npm/MAL-2026-1000.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}