{"id":"MAL-2026-3252","summary":"Malicious code in gauth-client (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (aea1fab5eb3b9422c65232e53e79eb71ba3436355601cd61e7a7b0177779df4e)\nPackage impersonates Google and attempts to exfiltrate various credential files. It also setups PTH file for automated start during Python initialization. In the analyzed version, the exfiltration target was set as localhost suggesting it's not the final code.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-gauth-client\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-credentials\n\n\n - impersonation\n\n\n - files-exfiltration\n","modified":"2026-05-03T22:02:04.904216Z","published":"2026-05-03T21:26:25Z","database_specific":{"malicious-packages-origins":[{"id":"pypi/2026-05-gauth-client/gauth-client","sha256":"aea1fab5eb3b9422c65232e53e79eb71ba3436355601cd61e7a7b0177779df4e","modified_time":"2026-05-03T21:26:25.089879Z","import_time":"2026-05-03T21:47:54.48009955Z","source":"kam193","versions":["0.1.0"]}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/gauth-client"}],"affected":[{"package":{"name":"gauth-client","ecosystem":"PyPI","purl":"pkg:pypi/gauth-client"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/gauth-client/MAL-2026-3252.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}