{"id":"MAL-2026-1263","summary":"Malicious code in python-module-installer (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (61bfa181c5afb9e33e0d529138c813fc05d8130062182d9d1a5cb4ef9c8da0ea)\nThe package clones a legitimate webdavclient3 library and modifies it to be an installer utility. During installation, the package exfiltrates the current working directory to a remote WebDAV server or Telegram Bot. Additionally, the package targets cryptocurrency operations in another suspicious project, https://github.com/fewcatltd/zkSync/\n\nThe install_modules() method injects code into two files, which are characteristic for this repository, and causes exfiltrating configuration files during cryptocurrency exchange operations.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-old-python-module-installer\n\n\nReasons (based on the campaign):\n\n\n - impersonation\n\n\n - dependency-confusion\n\n\n - files-exfiltration\n\n\n - action-hidden-in-lib-usage\n\n\n - clones-real-package\n\n\n - crypto-related\n\n\n - exfiltration-crypto\n","modified":"2026-03-06T14:01:21.555054Z","published":"2026-03-06T13:02:02Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-03-06T13:02:03.199623Z","versions":["3.15.6","3.15.7","3.15.8","3.15.9","3.15.10"],"import_time":"2026-03-06T13:50:46.64818873Z","source":"kam193","sha256":"61bfa181c5afb9e33e0d529138c813fc05d8130062182d9d1a5cb4ef9c8da0ea","id":"pypi/2026-03-old-python-module-installer/python-module-installer"}]},"references":[{"type":"WEB","url":"https://github.com/Python-source-dev/python-module-installer/commit/f58c60b95e98dc9ae8f0fb03ed8eaa5fa23e14cf"},{"type":"WEB","url":"https://github.com/Python-source-dev/python-module-installer"},{"type":"WEB","url":"https://github.com/python-requirements/requirements"},{"type":"WEB","url":"https://github.com/fewcatltd/zkSync/"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/python-module-installer"}],"affected":[{"package":{"name":"python-module-installer","ecosystem":"PyPI","purl":"pkg:pypi/python-module-installer"},"versions":["3.15.6","3.15.7","3.15.8","3.15.9","3.15.10"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/python-module-installer/MAL-2026-1263.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}