{"id":"MAL-2026-3031","summary":"Malicious code in swampo (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (7b8e193e75e6ca7d387f21b53c251e6ee8791d9ec4ca3f37099e765415d36157)\nMulti-stage dropper. The \"analytics\" functionality fetches fake updates information that should contain the next URL. From it, a yet another URL is downloaded, and then used to perform TXT DNS queries holding the encoded next URL. From this URL, a remote script is fetched and executed. During analysis, retrieving the final payload was not successful.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-04-swampo\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - action-hidden-in-lib-usage\n","modified":"2026-04-24T20:03:23.507384Z","published":"2026-04-24T18:55:32Z","database_specific":{"iocs":{"domains":["swampo-update.vercel.app","swampo-c2.vercel.app","swampo-stage2.de-zahlung.info"],"urls":["https://swampo-update.vercel.app/v1/check","https://swampo-c2.vercel.app/manifest","https://api.counterapi.dev/v2/swampon/swampo/up"]},"malicious-packages-origins":[{"modified_time":"2026-04-24T18:55:32.851161Z","source":"kam193","sha256":"7b8e193e75e6ca7d387f21b53c251e6ee8791d9ec4ca3f37099e765415d36157","import_time":"2026-04-24T19:48:59.318564968Z","versions":["1.2.9","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.6","1.5.7","1.5.8","1.7.0","1.7.1"],"id":"pypi/2026-04-swampo/swampo"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/swampo"}],"affected":[{"package":{"name":"swampo","ecosystem":"PyPI","purl":"pkg:pypi/swampo"},"versions":["1.2.9","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.2","1.5.0","1.5.1","1.5.2","1.5.3","1.5.4","1.5.6","1.5.7","1.5.8","1.7.0","1.7.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/swampo/MAL-2026-3031.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}