-= Per source details. Do not edit below this line.=-
During import, only in specific environments, a module containing code disguised as telemetry is imported. This code then exfiltrates sensitive environment variables and cloud tokens to a hardcoded location, as well as starts a job listening for commands to execute. Likely dependency confusion attempts
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-02-amigapythonupdater
Reasons (based on the campaign):
exfiltration-generic
exfiltration-env-variables
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
dependency-confusion
{
"malicious-packages-origins": [
{
"sha256": "44b549b64558430b61d35bb2eb2cfcf8ec15d75bacb38af8f34deafe5d6add2c",
"id": "pypi/2026-02-amigapythonupdater/heimdal-credentials",
"import_time": "2026-03-02T19:19:23.804321686Z",
"modified_time": "2026-03-02T18:48:28.160683Z",
"versions": [
"2.1.0"
],
"source": "kam193"
},
{
"sha256": "dc5440468dbe195642a1ef1f836ec185cb211900197d3fb5219e1a87c117ab1b",
"id": "RLMA-2026-00380",
"import_time": "2026-03-19T12:18:17.802080885Z",
"modified_time": "2026-03-18T12:14:32Z",
"versions": [
"2.1.0"
],
"source": "reversing-labs"
},
{
"sha256": "7db4e676f3598bf9a1f85f1e89bbc991e18d0e7ef1636bf1606d835175c482af",
"id": "RLUA-2026-01682",
"import_time": "2026-04-01T12:26:13.120001298Z",
"modified_time": "2026-03-24T15:22:13Z",
"source": "reversing-labs"
}
],
"iocs": {
"ips": [
"77.91.65.24"
]
}
}