MAL-2026-1263

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/python-module-installer/MAL-2026-1263.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-1263

Published

2026-03-06T13:02:02Z

Modified

2026-03-06T14:01:21.555054Z

Summary

Malicious code in python-module-installer (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (61bfa181c5afb9e33e0d529138c813fc05d8130062182d9d1a5cb4ef9c8da0ea)

The package clones a legitimate webdavclient3 library and modifies it to be an installer utility. During installation, the package exfiltrates the current working directory to a remote WebDAV server or Telegram Bot. Additionally, the package targets cryptocurrency operations in another suspicious project, https://github.com/fewcatltd/zkSync/

The install_modules() method injects code into two files, which are characteristic for this repository, and causes exfiltrating configuration files during cryptocurrency exchange operations.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-old-python-module-installer

Reasons (based on the campaign):

impersonation
dependency-confusion
files-exfiltration
action-hidden-in-lib-usage
clones-real-package
crypto-related
exfiltration-crypto

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-03-06T13:50:46.64818873Z",
            "id": "pypi/2026-03-old-python-module-installer/python-module-installer",
            "source": "kam193",
            "sha256": "61bfa181c5afb9e33e0d529138c813fc05d8130062182d9d1a5cb4ef9c8da0ea",
            "modified_time": "2026-03-06T13:02:03.199623Z",
            "versions": [
                "3.15.6",
                "3.15.7",
                "3.15.8",
                "3.15.9",
                "3.15.10"
            ]
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / python-module-installer

Package

Name: python-module-installer; View open source insights on deps.dev
Purl: pkg:pypi/python-module-installer

Affected ranges

Affected versions

3.*

3.15.6

3.15.7

3.15.8

3.15.9

3.15.10

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/python-module-installer/MAL-2026-1263.json"