{"id":"MAL-2026-444","summary":"Malicious code in terminalbrush (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (35e06fb41f9c1a4f082cf49a72dec89fc5b4d2f6580b97e527d291d50807b801)\nPackage downloads an executable, places it distinguished as a Python binary and starts it. At the time of analysis, the URL was no longer active, so it was not possible to confirm the exact behaviour.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-01-old-terminalbrush\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n","modified":"2026-01-21T20:18:00.940147Z","published":"2026-01-21T19:31:32Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-01-21T19:31:32.049047Z","sha256":"35e06fb41f9c1a4f082cf49a72dec89fc5b4d2f6580b97e527d291d50807b801","source":"kam193","import_time":"2026-01-21T20:11:54.240415641Z","id":"pypi/2026-01-old-terminalbrush/terminalbrush","versions":["0.1","0.2.4"]}],"iocs":{"urls":["https://free-proxies.cloud/download"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/terminalbrush"}],"affected":[{"package":{"name":"terminalbrush","ecosystem":"PyPI","purl":"pkg:pypi/terminalbrush"},"versions":["0.1","0.2.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/terminalbrush/MAL-2026-444.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}