MAL-2026-2119

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/apachelicense/MAL-2026-2119.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-2119

Published

2026-03-23T20:41:45Z

Modified

2026-03-26T22:04:54.765030Z

Summary

Malicious code in apachelicense (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (9d96d45a87e117e72107d6d6dfbe8c4e94323323bc28ce9accd8ccba39a0a46c)

Malicious clone of legitimate "license" package. When using the findbykey function, the malicious code from strongly obfuscated files is loaded. It then at least collects data from cryptowallets and password managers and exfiltrate them to a hardcoded remote location.

Prior version 0.1b2, the malicious code was hosted externally and downloaded when triggered.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-license-utils-kit

Reasons (based on the campaign):

infostealer
obfuscation
crypto-related
action-hidden-in-lib-usage
exfiltration-credentials
clones-real-package

Database specific

{
    "iocs": {
        "ips": [
            "66.45.225.94"
        ],
        "domains": [
            "apachelicense.vercel.app"
        ]
    },
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1a1"
            ],
            "sha256": "9d96d45a87e117e72107d6d6dfbe8c4e94323323bc28ce9accd8ccba39a0a46c",
            "id": "pypi/2026-03-license-utils-kit/apachelicense",
            "import_time": "2026-03-23T20:48:31.567612116Z",
            "modified_time": "2026-03-23T20:41:45.460194Z",
            "source": "kam193"
        },
        {
            "versions": [
                "0.1a1"
            ],
            "sha256": "8cb3d989a52bed71e3c0c981edf8cf82632c1fc6e3a0ea9c39f812e7967848a7",
            "id": "pypi/2026-03-license-utils-kit/apachelicense",
            "import_time": "2026-03-23T21:47:45.570498475Z",
            "modified_time": "2026-03-23T20:41:45.460194Z",
            "source": "kam193"
        },
        {
            "versions": [
                "0.1a1"
            ],
            "sha256": "031eef30ab036b21c588c2057db7591f222501d19364223cc502b09d63811c6f",
            "id": "pypi/2026-03-license-utils-kit/apachelicense",
            "import_time": "2026-03-26T21:44:48.187993542Z",
            "modified_time": "2026-03-23T20:41:45.460194Z",
            "source": "kam193"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / apachelicense

Package

Name: apachelicense; View open source insights on deps.dev
Purl: pkg:pypi/apachelicense

Affected ranges

Affected versions

0.*

0.1a1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/apachelicense/MAL-2026-2119.json"