MAL-2026-1223

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/risk-utilities/MAL-2026-1223.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-1223

Published

2026-03-03T18:10:56Z

Modified

2026-03-23T20:32:08.763598Z

Summary

Malicious code in risk-utilities (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (22f9a9b921e53b4755c41241969fcc8b410b09f29a63ed9c23c5a19c966b4946)

During installation, the package starts obfuscated code that downloads and runs remote executables in specific environments. In some packages in the campaign, the code only attempts to exfiltrate some basic information using DNS requests and then likely cover tracks by installing a similarly named package from private repository

Related campaigns: 2026-02-spark-audit-notify, 2026-03-geekennedy

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-02-urllib-slim

Reasons (based on the campaign):

typosquatting
Downloads and executes a remote executable.
obfuscation
dependency-confusion

Database specific

{
    "iocs": {
        "domains": [
            "1r.vc",
            "i.1r.vc"
        ],
        "urls": [
            "https://storage.googleapis.com/py-pi/python_mac",
            "https://storage.googleapis.com/py-pi/python_rhel",
            "https://storage.googleapis.com/py-pi/python_win"
        ]
    },
    "malicious-packages-origins": [
        {
            "versions": [
                "6.0.0",
                "6.0.1"
            ],
            "modified_time": "2026-03-03T18:10:56.712414Z",
            "sha256": "e348257ce9a3bae45ebd2659c04fbfea50b94293533efd04ce326900921fd130",
            "id": "pypi/2026-02-urllib-slim/risk-utilities",
            "source": "kam193",
            "import_time": "2026-03-03T18:20:16.084293705Z"
        },
        {
            "versions": [
                "6.0.0",
                "6.0.1"
            ],
            "modified_time": "2026-03-03T18:10:56.712414Z",
            "sha256": "b2fd5ee5125e623ac64304c210f37c85d220b214f5102c2df2beb781e37178af",
            "id": "pypi/2026-02-urllib-slim/risk-utilities",
            "source": "kam193",
            "import_time": "2026-03-03T19:20:04.715924706Z"
        },
        {
            "versions": [
                "6.0.0",
                "6.0.1"
            ],
            "modified_time": "2026-03-03T18:10:56.712414Z",
            "sha256": "22f9a9b921e53b4755c41241969fcc8b410b09f29a63ed9c23c5a19c966b4946",
            "id": "pypi/2026-02-urllib-slim/risk-utilities",
            "source": "kam193",
            "import_time": "2026-03-23T20:16:57.850797409Z"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / risk-utilities

Package

Name: risk-utilities; View open source insights on deps.dev
Purl: pkg:pypi/risk-utilities

Affected ranges

Affected versions

6.*

6.0.0

6.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/risk-utilities/MAL-2026-1223.json"