MAL-2026-2084
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/license-utils-kit/MAL-2026-2084.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2084
- Published
- 2026-03-23T09:41:24Z
- Modified
- 2026-04-08T20:34:30.088328Z
- Summary
- Malicious code in license-utils-kit (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (eb0116c55754c947c819c966f213a99864511536a414619cf3154b89be59f9e8)
Malicious clone of legitimate "license" package. When using the findbykey function, the malicious code from strongly obfuscated files is loaded. It then at least collects data from cryptowallets and password managers and exfiltrate them to a hardcoded remote location.
Prior version 0.1b2, the malicious code was hosted externally and downloaded when triggered.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-03-license-utils-kit
Reasons (based on the campaign):
infostealer
obfuscation
crypto-related
action-hidden-in-lib-usage
exfiltration-credentials
clones-real-package
- Database specific
{ "iocs": { "domains": [ "apachelicense.vercel.app" ], "ips": [ "66.45.225.94" ] }, "malicious-packages-origins": [ { "source": "kam193", "modified_time": "2026-03-23T09:41:24.830461Z", "sha256": "62f1d552063d20e655d715a6f7309c0af7776c3e23d3ae6d3f9c95148a751d93", "import_time": "2026-03-23T09:52:03.22990555Z", "versions": [ "0.1a0", "0.1a1", "0.1b1", "0.1b2", "0.1b3", "0.1b4" ], "id": "pypi/2026-03-license-utils-kit/license-utils-kit" }, { "source": "kam193", "modified_time": "2026-03-23T09:43:36.165595Z", "sha256": "eb0116c55754c947c819c966f213a99864511536a414619cf3154b89be59f9e8", "import_time": "2026-03-23T10:26:15.243333899Z", "versions": [ "0.1a0", "0.1a1", "0.1b1", "0.1b2", "0.1b3", "0.1b4" ], "id": "pypi/2026-03-license-utils-kit/license-utils-kit" }, { "source": "kam193", "modified_time": "2026-03-23T10:57:51.247175Z", "sha256": "e88284f81b2f177fd9c635d7620c4ca79aace81726b0c8450a4e9783479bc693", "import_time": "2026-03-23T11:21:16.958800023Z", "versions": [ "0.1a0", "0.1a1", "0.1b1", "0.1b2", "0.1b3", "0.1b4", "0.1rc1" ], "id": "pypi/2026-03-license-utils-kit/license-utils-kit" }, { "source": "kam193", "modified_time": "2026-03-23T11:38:58.244654Z", "sha256": "4676290f79051bbfdd0e995eb6d3705071f602decb130857322d66700dc3927d", "import_time": "2026-03-23T11:48:05.440033189Z", "versions": [ "0.1a0", "0.1a1", "0.1b1", "0.1b2", "0.1b3", "0.1b4", "0.1rc1", "0.1rc2", "0.1rc3" ], "id": "pypi/2026-03-license-utils-kit/license-utils-kit" }, { "source": "kam193", "modified_time": "2026-03-23T11:38:58.244654Z", "sha256": "55f50e7ea85ed70e908ffc32d0b2bd56b8e79350a4e26718053af77c6124900c", "import_time": "2026-03-26T21:44:48.190931698Z", "versions": [ "0.1a0", "0.1a1", "0.1b1", "0.1b2", "0.1b3", "0.1b4", "0.1rc1", "0.1rc2", "0.1rc3" ], "id": "pypi/2026-03-license-utils-kit/license-utils-kit" }, { "source": "kam193", "modified_time": "2026-03-23T11:38:58.244654Z", "sha256": "6821809cb241c12a1033fdbc4b055007c7563a9d083957a237507e2d5ba857c9", "import_time": "2026-04-08T20:17:57.40849284Z", "versions": [ "0.1a0", "0.1a1", "0.1b1", "0.1b2", "0.1b3", "0.1b4", "0.1rc1", "0.1rc2", "0.1rc3" ], "id": "pypi/2026-03-license-utils-kit/license-utils-kit" } ] }- References
-
- https://bad-packages.kam193.eu/pypi/package/license-utils-kit
- https://www.virustotal.com/gui/file/9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58/detection
- https://www.virustotal.com/gui/file/bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd
- https://socket.dev/blog/contagious-interview-campaign-spreads-across-5-ecosystems
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / license-utils-kit
Package
- Name
- license-utils-kit
- View open source insights on deps.dev
- Purl
- pkg:pypi/license-utils-kit