{"id":"MAL-2026-1408","summary":"Malicious code in nai (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (a9e4650a322afd07ff77c3f934248e52f477f2d1cebd0c84b1074bdba1142efe)\nPackage is a hacking tool that not only abuses 3rd-party services but also silently exfiltrates credentials the user uses to log in there. The provided account is also forced to follow the attacker's accounts.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-old-nai\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-credentials\n\n\n - abusing-3rd-api\n\n\n - action-hidden-in-lib-usage\n","modified":"2026-03-13T11:14:40.691572Z","published":"2026-03-13T10:31:39Z","database_specific":{"malicious-packages-origins":[{"versions":["1.4","1.5","1.6","1.7","1.8","1.9","2.0","2.1","2.2","2.3","2.4","2.5","2.8","2.9","3.0","3.1"],"sha256":"a9e4650a322afd07ff77c3f934248e52f477f2d1cebd0c84b1074bdba1142efe","modified_time":"2026-03-13T10:31:39.702401Z","id":"pypi/2026-03-old-nai/nai","import_time":"2026-03-13T10:47:31.130659444Z","source":"kam193"}],"iocs":{"domains":["nasweb.000webhostapp.com"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/nai"}],"affected":[{"package":{"name":"nai","ecosystem":"PyPI","purl":"pkg:pypi/nai"},"versions":["1.4","1.5","1.6","1.7","1.8","1.9","2.0","2.1","2.2","2.3","2.4","2.5","2.8","2.9","3.0","3.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/nai/MAL-2026-1408.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}