{"id":"MAL-2026-2403","summary":"Malicious code in polymarkets-sdk (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (facfcba74011619f5bb2eaf096e41239f81520cb4effff3b45f8b42c84d42060)\nDuring import, the code attempts to exfiltrate to a hardcoded location sensitive data, including private SSH keys, cloud credentials and Windows SAM database.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-polymarkets-sdk\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-credentials\n\n\n - files-exfiltration\n\n\n - exfiltration-cloud-tokens\n","modified":"2026-04-01T16:32:08.347801Z","published":"2026-04-01T15:30:14Z","database_specific":{"iocs":{"ips":["52.16.41.151"]},"malicious-packages-origins":[{"sha256":"facfcba74011619f5bb2eaf096e41239f81520cb4effff3b45f8b42c84d42060","id":"pypi/2026-03-polymarkets-sdk/polymarkets-sdk","versions":["1.0.0","1.0.1"],"modified_time":"2026-04-01T15:30:14.120234Z","source":"kam193","import_time":"2026-04-01T15:34:17.768474139Z"},{"sha256":"b41c34e997e591fca5ebc478ed1464d71d29fe2d2b3b276bcb56b09ff9124791","id":"pypi/2026-03-polymarkets-sdk/polymarkets-sdk","versions":["1.0.0","1.0.1"],"modified_time":"2026-04-01T15:37:06.608356Z","source":"kam193","import_time":"2026-04-01T16:25:43.525317742Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/polymarkets-sdk"}],"affected":[{"package":{"name":"polymarkets-sdk","ecosystem":"PyPI","purl":"pkg:pypi/polymarkets-sdk"},"versions":["1.0.0","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/polymarkets-sdk/MAL-2026-2403.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}