{"id":"MAL-2026-10770","summary":"Malicious code in govpkg (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: ghsa-malware (ae4127ce9f51f78b54d36d3fed4dcf206062f36a84588a0c65d99443d059332e)\n## Source: kam193 (736ef874636ee77d0a5007dea41ad6329e0d5523bfeb5254930985f451a6f6f6)\nWhen using the provided functionality, the package silently downloads a malicious executable and ensures its persistence disguised as a system service. The binary connects with telegra[.]ph.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-07-govpkg\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - action-hidden-in-lib-usage\n\n\n - persistence\n\n---\n\nCredit: [OpenSSF](https://github.com/ossf/malicious-packages) ([source](https://github.com/ossf/malicious-packages/blob/96845bb6b7c635d6860f7de9103fbaec06360beb/osv/malicious/pypi/govpkg/MAL-2026-10770.json))\n\n## Source: kam193 (736ef874636ee77d0a5007dea41ad6329e0d5523bfeb5254930985f451a6f6f6)\nWhen using the provided functionality, the package silently downloads a malicious executable and ensures its persistence disguised as a system service. The binary connects with telegra[.]ph.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-07-govpkg\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - action-hidden-in-lib-usage\n\n\n - persistence\n","aliases":["GHSA-f88m-xf6h-ph28"],"modified":"2026-07-18T02:04:35.547575808Z","published":"2026-07-17T13:49:45Z","database_specific":{"iocs":{"urls":["https://temp.sh/NBZzm/client"]},"malicious-packages-origins":[{"import_time":"2026-07-17T14:36:15.613511653Z","id":"pypi/2026-07-govpkg/govpkg","modified_time":"2026-07-17T13:49:45.61167Z","versions":["0.1.0","0.2.0"],"source":"kam193","sha256":"736ef874636ee77d0a5007dea41ad6329e0d5523bfeb5254930985f451a6f6f6"},{"id":"GHSA-f88m-xf6h-ph28","modified_time":"2026-07-18T01:23:05Z","versions":["0.2.0","0.1.0"],"source":"ghsa-malware","sha256":"ae4127ce9f51f78b54d36d3fed4dcf206062f36a84588a0c65d99443d059332e","import_time":"2026-07-18T01:54:31.680706948Z"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/7bd6824cbcb603a4cc79728985557a74c876db2d1e8a71e2120d79e3e507525a/detection"},{"type":"EVIDENCE","url":"https://app.any.run/tasks/0fc6b9f4-8052-435b-9c0a-3d48dfe79018"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/govpkg"},{"type":"WEB","url":"https://app.any.run/tasks/0fc6b9f4-8052-435b-9c0a-3d48dfe79018"},{"type":"WEB","url":"https://www.virustotal.com/gui/file/7bd6824cbcb603a4cc79728985557a74c876db2d1e8a71e2120d79e3e507525a/detection"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-f88m-xf6h-ph28"}],"affected":[{"package":{"name":"govpkg","ecosystem":"PyPI","purl":"pkg:pypi/govpkg"},"versions":["0.1.0","0.2.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/govpkg/MAL-2026-10770.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}