MAL-2026-2138
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/open-vp-cal/MAL-2026-2138.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2138
- Published
- 2026-03-24T19:30:00Z
- Modified
- 2026-03-24T20:32:06.589702Z
- Summary
- Malicious code in open-vp-cal (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (ab8c06b5d7e9b98d62708ab7377d9e18a214e884c69b0c7217979121aed06917)
When executing the module, the code installs a package from a remote location. The remote package contains malicious code exfiltrating selected env variables and selected information from credential files. The code claims to be security research.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-03-open-vp-cal
Reasons (based on the campaign):
exfiltration-env-variables
Downloads and executes a remote malicious script.
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
- Database specific
{ "iocs": { "domains": [ "pack.nppacks.com", "nppacks.com" ], "urls": [ "http://pack.nppacks.com/pip/open-vp-cal-spg-jp", "http://pack.nppacks.com/kurkur.php" ] }, "malicious-packages-origins": [ { "versions": [ "1.3.1" ], "sha256": "ab8c06b5d7e9b98d62708ab7377d9e18a214e884c69b0c7217979121aed06917", "id": "pypi/2026-03-open-vp-cal/open-vp-cal", "import_time": "2026-03-24T20:16:47.763689482Z", "modified_time": "2026-03-24T19:30:00.587584Z", "source": "kam193" } ] }- References
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / open-vp-cal
Package
- Name
- open-vp-cal
- View open source insights on deps.dev
- Purl
- pkg:pypi/open-vp-cal