{"id":"MAL-2026-912","summary":"Malicious code in http-request-toolkit (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (13b29a753802db633ab987963543535999a246049761d4d29699b66edf207f13)\nDuring import, package masquerade and starts an embedded executable. The executable has signs of infostealer activity\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-requests-toolkit\n\n\nReasons (based on the campaign):\n\n\n - impersonation\n\n\n - infostealer\n\n\n - malware\n\n\n - The package contains code to detect if it is running in a sandbox environment.\n\n\n - keylogger\n","modified":"2026-03-19T12:53:43.717866Z","published":"2026-02-16T07:03:21Z","database_specific":{"malicious-packages-origins":[{"source":"kam193","import_time":"2026-02-16T07:28:49.580166101Z","versions":["2.28.3","2.28.4","2.28.5"],"sha256":"13b29a753802db633ab987963543535999a246049761d4d29699b66edf207f13","modified_time":"2026-02-16T07:03:21.22114Z","id":"pypi/2026-02-requests-toolkit/http-request-toolkit"},{"source":"reversing-labs","import_time":"2026-03-19T12:18:17.967835409Z","versions":["2.28.3","2.28.4","2.28.5"],"sha256":"8611f488d8714ccabd0499250be69556cbaffbf4b7e0bc18b179bde7fff3d722","modified_time":"2026-03-18T12:14:43Z","id":"RLMA-2026-00396"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/af261caf84b235f17213f8deada55b8b867b5dcf7932330ca1a502e8530a35a5/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/http-request-toolkit"}],"affected":[{"package":{"name":"http-request-toolkit","ecosystem":"PyPI","purl":"pkg:pypi/http-request-toolkit"},"versions":["2.28.3","2.28.4","2.28.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/http-request-toolkit/MAL-2026-912.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}