{"id":"MAL-2026-3210","summary":"Malicious code in graphicsctxr (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (10408decaf8cace14b8124fa392ee96996c3c91358cb454cbfcd45790d18cdf9)\nPackage contains code to exfiltrate .env to a remote target. Prior to version 2.1.1, it also created a persistent backdoor via embedding a hardcoded SSH key. Malicious action is triggered when running as a module.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-04-renderctx\n\n\nReasons (based on the campaign):\n\n\n - backdoor\n\n\n - files-exfiltration\n\n\n - crypto-related\n\n\n - The malicious code is intentionally included in a dependency of the package\n","modified":"2026-05-01T16:02:00.650852Z","published":"2026-05-01T11:13:48Z","database_specific":{"iocs":{"domains":["renderkit1.vercel.app"],"urls":["https://renderkit1.vercel.app"]},"malicious-packages-origins":[{"sha256":"34bd28973c19fb216e480f592ebb72871a414aad3113095cc700641f1c30ec60","id":"pypi/2026-04-renderctx/graphicsctxr","versions":["1.0.1","1.0.2","1.0.3","1.0.4","2.1.1","2.2.1","2.2.2"],"modified_time":"2026-05-01T11:26:11.856045Z","source":"kam193","import_time":"2026-05-01T11:55:33.881971341Z"},{"sha256":"10408decaf8cace14b8124fa392ee96996c3c91358cb454cbfcd45790d18cdf9","id":"pypi/2026-04-renderctx/graphicsctxr","versions":["1.0.1","1.0.2","1.0.3","1.0.4","2.1.1","2.2.1","2.2.2"],"modified_time":"2026-05-01T11:26:11.856045Z","source":"kam193","import_time":"2026-05-01T14:29:30.478727324Z"},{"sha256":"b839d254c22132d7021df652975bb55f3592b26266146e6495881a98215e5a6d","id":"pypi/2026-04-renderctx/graphicsctxr","versions":["1.0.1","1.0.2","1.0.3","1.0.4","2.1.1","2.2.1","2.2.2","2.2.3"],"modified_time":"2026-05-01T15:32:51.395435Z","source":"kam193","import_time":"2026-05-01T15:50:15.403500511Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/graphicsctxr"},{"type":"WEB","url":"https://github.com/0xsebasneuron"},{"type":"WEB","url":"https://socket.dev/supply-chain-attacks/north-korea-s-contagious-interview-campaign"},{"type":"WEB","url":"https://github.com/0xsebasneuron/polymarket-arbitrage-copy-trading-bot-V2/commit/4dae9aea3c35a627a7f38a28946f73af18930a3e#diff-4d7c51b1efe9043e44439a949dfd92e5827321b34082903477fd04876edb7552"}],"affected":[{"package":{"name":"graphicsctxr","ecosystem":"PyPI","purl":"pkg:pypi/graphicsctxr"},"versions":["1.0.1","1.0.2","1.0.3","1.0.4","2.1.1","2.2.1","2.2.2","2.2.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/graphicsctxr/MAL-2026-3210.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}