MAL-2026-2120

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/logutilkit/MAL-2026-2120.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-2120

Published

2026-03-23T22:53:57Z

Modified

2026-03-26T22:04:18.145323Z

Summary

Malicious code in logutilkit (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (25a26f2dc6e0a8e2ba3bd43492fbffa597b39065e3f3378ea976dcabddf8fbf8)

Malicious clone of a legitimate package. When using it, the code attempts to download and execute remote code. In on of the incarnations, the malicious code was embeded in the strongly obfuscated file, which at least collected data from cryptowallets and password managers and exfiltrated them to a hardcoded remote location.

The downloaded next stage varies depending on the running platform. On Windows, it's extream obfuscated script. On Linux and MacOS they are binaries, named "systemd-resolved" and "com.apple.systemevents" with clear signs of stealing browsers and cryptocurrency data.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-license-utils-kit

Reasons (based on the campaign):

infostealer
obfuscation
crypto-related
action-hidden-in-lib-usage
exfiltration-credentials
clones-real-package

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-03-23T22:53:57.416367Z",
            "versions": [
                "1.0.1"
            ],
            "id": "pypi/2026-03-license-utils-kit/logutilkit",
            "import_time": "2026-03-23T23:45:18.693550378Z",
            "source": "kam193",
            "sha256": "ac7ea80d57c3c34f71f9245d7c01172c9f5dfb7a757274b58253df1c3dff24e7"
        },
        {
            "modified_time": "2026-03-23T22:53:57.416367Z",
            "versions": [
                "1.0.1"
            ],
            "id": "pypi/2026-03-license-utils-kit/logutilkit",
            "import_time": "2026-03-26T21:44:48.19215368Z",
            "source": "kam193",
            "sha256": "25a26f2dc6e0a8e2ba3bd43492fbffa597b39065e3f3378ea976dcabddf8fbf8"
        }
    ],
    "iocs": {
        "ips": [
            "66.45.225.94"
        ],
        "domains": [
            "apachelicense.vercel.app"
        ]
    }
}

References

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / logutilkit

Package

Name: logutilkit; View open source insights on deps.dev
Purl: pkg:pypi/logutilkit

Affected ranges

Affected versions

1.*

1.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/logutilkit/MAL-2026-2120.json"