MAL-2026-10770

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/govpkg/MAL-2026-10770.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10770
Aliases
  • GHSA-f88m-xf6h-ph28
Published
2026-07-17T13:49:45Z
Modified
2026-07-18T02:04:35.547575808Z
Summary
Malicious code in govpkg (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: ghsa-malware (ae4127ce9f51f78b54d36d3fed4dcf206062f36a84588a0c65d99443d059332e)

Source: kam193 (736ef874636ee77d0a5007dea41ad6329e0d5523bfeb5254930985f451a6f6f6)

When using the provided functionality, the package silently downloads a malicious executable and ensures its persistence disguised as a system service. The binary connects with telegra[.]ph.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-govpkg

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • action-hidden-in-lib-usage

  • persistence


Credit: OpenSSF (source)

Source: kam193 (736ef874636ee77d0a5007dea41ad6329e0d5523bfeb5254930985f451a6f6f6)

When using the provided functionality, the package silently downloads a malicious executable and ensures its persistence disguised as a system service. The binary connects with telegra[.]ph.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-govpkg

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • action-hidden-in-lib-usage

  • persistence

Database specific
{
    "iocs": {
        "urls": [
            "https://temp.sh/NBZzm/client"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "kam193",
            "sha256": "736ef874636ee77d0a5007dea41ad6329e0d5523bfeb5254930985f451a6f6f6",
            "import_time": "2026-07-17T14:36:15.613511653Z",
            "modified_time": "2026-07-17T13:49:45.61167Z",
            "id": "pypi/2026-07-govpkg/govpkg",
            "versions": [
                "0.1.0",
                "0.2.0"
            ]
        },
        {
            "source": "ghsa-malware",
            "sha256": "ae4127ce9f51f78b54d36d3fed4dcf206062f36a84588a0c65d99443d059332e",
            "import_time": "2026-07-18T01:54:31.680706948Z",
            "modified_time": "2026-07-18T01:23:05Z",
            "id": "GHSA-f88m-xf6h-ph28",
            "versions": [
                "0.2.0",
                "0.1.0"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / govpkg

Package

Affected ranges

Affected versions

0.*
0.1.0
0.2.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/govpkg/MAL-2026-10770.json"