{"id":"MAL-2026-1136","summary":"Malicious code in amigapythonupdater (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (46cf32631436ddacf36a4984b254c10554b4e94c6099c5012a96ec3a7c5426a1)\nDuring import, only in specific environments, a module containing code disguised as telemetry is imported. This code then exfiltrates sensitive environment variables and cloud tokens to a hardcoded location, as well as starts a job listening for commands to execute. Likely dependency confusion attempts\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-amigapythonupdater\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-generic\n\n\n - exfiltration-env-variables\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n\n\n - dependency-confusion\n","modified":"2026-04-01T12:45:58.841293Z","published":"2026-03-02T18:49:05Z","database_specific":{"iocs":{"ips":["77.91.65.24"]},"malicious-packages-origins":[{"source":"kam193","modified_time":"2026-03-02T18:49:05.586675Z","sha256":"46cf32631436ddacf36a4984b254c10554b4e94c6099c5012a96ec3a7c5426a1","versions":["3.1.0","3.1.1"],"import_time":"2026-03-02T19:19:23.801047794Z","id":"pypi/2026-02-amigapythonupdater/amigapythonupdater"},{"source":"reversing-labs","modified_time":"2026-03-18T12:10:58Z","sha256":"424b9e1378b3acc560f20206c797a80be92759e8a7e412930c28ae69cc4243ac","versions":["3.1.0","3.1.1"],"import_time":"2026-03-19T12:18:15.492949944Z","id":"RLMA-2026-00061"},{"source":"reversing-labs","modified_time":"2026-03-24T15:21:45Z","sha256":"7610023da2e27888c3037bc9f56c846c5347ba33a91232e26cab5d5980d88535","import_time":"2026-04-01T12:26:12.89666971Z","id":"RLUA-2026-01676"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/amigapythonupdater"}],"affected":[{"package":{"name":"amigapythonupdater","ecosystem":"PyPI","purl":"pkg:pypi/amigapythonupdater"},"versions":["3.1.0","3.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/amigapythonupdater/MAL-2026-1136.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}