MAL-2026-1000
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/scraper-npm/MAL-2026-1000.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-1000
- Published
- 2026-02-23T08:59:49Z
- Modified
- 2026-02-23T10:03:19.461917Z
- Summary
- Malicious code in scraper-npm (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (5705e85e8288aeffbfe964329624dcbb5b2e30cebb0023da5b605ee5fb0aef4e)
During import, the package exfiltrates files (especially .env and JSON) and eventually configures a backdoor by adding its own SSH key to the authorized_keys.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-02-scraper-npm
Reasons (based on the campaign):
files-exfiltration
backdoor
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
- Database specific
{ "iocs": { "domains": [ "api.bensaru.site", "bensaru.site" ], "urls": [ "https://api.bensaru.site/api/validate/files" ] }, "malicious-packages-origins": [ { "source": "kam193", "id": "pypi/2026-02-scraper-npm/scraper-npm", "modified_time": "2026-02-23T08:59:49.553899Z", "sha256": "5705e85e8288aeffbfe964329624dcbb5b2e30cebb0023da5b605ee5fb0aef4e", "versions": [ "1.0.4" ], "import_time": "2026-02-23T09:23:51.901509003Z" }, { "source": "kam193", "id": "pypi/2026-02-scraper-npm/scraper-npm", "modified_time": "2026-02-23T08:59:49.553899Z", "sha256": "d7f20e2472b63356859f93d837362f5473465c3bfe950dc41183d41aa2790d67", "versions": [ "1.0.4" ], "import_time": "2026-02-23T09:49:38.141206339Z" } ] }- References
- Credits
-
-
- Kamil Mańkowski (kam193) - ANALYST
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / scraper-npm
Package
- Name
- scraper-npm
- View open source insights on deps.dev
- Purl
- pkg:pypi/scraper-npm