{"id":"MAL-2026-28","summary":"Malicious code in chrome-stealth (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (a97fed2b45bf12e5c4ba72089cdc2a1aff4ef42cb5eed242565268439946041a)\nBy using the package, the computer is attached to participate in a proxy network and share its IP and bandwidth. This is clearly stated, but the package has no real functionality besides that. Additionally, the stated proxy network seems extremely shady: the domain was just registered, is closely similar to a long-existing service, and offers residential proxy only for cryptocurrencies. The company mentioned in the package information does not have a website, and the proposed way to opt-out does not work.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-01-ambertransit\n\n\nReasons (based on the campaign):\n\n\n - other\n\n\n - modify-system-without-consent\n","modified":"2026-01-03T14:46:29.346260Z","published":"2026-01-03T13:25:21Z","database_specific":{"malicious-packages-origins":[{"sha256":"a97fed2b45bf12e5c4ba72089cdc2a1aff4ef42cb5eed242565268439946041a","import_time":"2026-01-03T14:38:51.184306767Z","modified_time":"2026-01-03T13:25:21.755617Z","id":"pypi/2026-01-ambertransit/chrome-stealth","source":"kam193","versions":["0.1.0"]}],"iocs":{"domains":["ambertransit.com","proxly.cc","peers.proxly.cc"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/chrome-stealth"}],"affected":[{"package":{"name":"chrome-stealth","ecosystem":"PyPI","purl":"pkg:pypi/chrome-stealth"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/chrome-stealth/MAL-2026-28.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}