-= Per source details. Do not edit below this line.=-
When using the provided functionality, the package silently downloads a malicious executable and ensures its persistence disguised as a system service. The binary connects with telegra[.]ph.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-govpkg
Reasons (based on the campaign):
Downloads and executes a remote executable.
action-hidden-in-lib-usage
persistence
When using the provided functionality, the package silently downloads a malicious executable and ensures its persistence disguised as a system service. The binary connects with telegra[.]ph.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-govpkg
Reasons (based on the campaign):
Downloads and executes a remote executable.
action-hidden-in-lib-usage
persistence
{
"iocs": {
"urls": [
"https://temp.sh/NBZzm/client"
]
},
"malicious-packages-origins": [
{
"source": "kam193",
"sha256": "736ef874636ee77d0a5007dea41ad6329e0d5523bfeb5254930985f451a6f6f6",
"import_time": "2026-07-17T14:36:15.613511653Z",
"modified_time": "2026-07-17T13:49:45.61167Z",
"id": "pypi/2026-07-govpkg/govpkg",
"versions": [
"0.1.0",
"0.2.0"
]
},
{
"source": "ghsa-malware",
"sha256": "ae4127ce9f51f78b54d36d3fed4dcf206062f36a84588a0c65d99443d059332e",
"import_time": "2026-07-18T01:54:31.680706948Z",
"modified_time": "2026-07-18T01:23:05Z",
"id": "GHSA-f88m-xf6h-ph28",
"versions": [
"0.2.0",
"0.1.0"
]
}
]
}