{"id":"MAL-2026-2948","summary":"Malicious code in leavemealone (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (5628eb1d01e8eb7de8a582cd9ea85dff68eafde06f4e1164ae92842354db0bf7)\nDuring building the package, it executes encrypted code. The content is unclear as the decryption key bases on the local environment variable. Given leaving a \"flag\" file at the end, this package can also be part of a CTF-like exercise, but it's not possible to be sure given the encrypted payload.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-04-leavemealone\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n","modified":"2026-04-20T09:49:40.420767Z","published":"2026-04-20T08:39:35Z","database_specific":{"malicious-packages-origins":[{"id":"pypi/2026-04-leavemealone/leavemealone","sha256":"5628eb1d01e8eb7de8a582cd9ea85dff68eafde06f4e1164ae92842354db0bf7","modified_time":"2026-04-20T08:39:35.545786Z","versions":["0.1.1","0.1.2"],"import_time":"2026-04-20T09:41:09.783192644Z","source":"kam193"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/leavemealone"}],"affected":[{"package":{"name":"leavemealone","ecosystem":"PyPI","purl":"pkg:pypi/leavemealone"},"versions":["0.1.1","0.1.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/leavemealone/MAL-2026-2948.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}