MAL-2026-2244

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fluxhttp/MAL-2026-2244.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-2244

Published

2026-03-26T20:49:03Z

Modified

2026-03-26T22:02:35.983499Z

Summary

Malicious code in fluxhttp (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (2669b72303bd592ba1633febc04bca1f0a8804d8546baf21b5f3f12baaa80f29)

Malicious clone of a legitimate package. When using it, the code attempts to download and execute remote code. In on of the incarnations, the malicious code was embeded in the strongly obfuscated file, which at least collected data from cryptowallets and password managers and exfiltrated them to a hardcoded remote location.

The downloaded next stage varies depending on the running platform. On Windows, it's extream obfuscated script. On Linux and MacOS they are binaries, named "systemd-resolved" and "com.apple.systemevents" with clear signs of stealing browsers and cryptocurrency data.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-license-utils-kit

Reasons (based on the campaign):

infostealer
obfuscation
crypto-related
action-hidden-in-lib-usage
exfiltration-credentials
clones-real-package

Database specific

{
    "iocs": {
        "ips": [
            "66.45.225.94"
        ],
        "domains": [
            "apachelicense.vercel.app"
        ]
    },
    "malicious-packages-origins": [
        {
            "versions": [
                "1a1",
                "1.0.1",
                "1.0.2"
            ],
            "sha256": "89f45079c25c2a6ce670f2f2a1d79b0680ce53717df7be67130280fc866e4995",
            "id": "pypi/2026-03-license-utils-kit/fluxhttp",
            "import_time": "2026-03-26T21:12:58.942615Z",
            "modified_time": "2026-03-26T20:57:34.789745Z",
            "source": "kam193"
        },
        {
            "versions": [
                "1a1",
                "1.0.1",
                "1.0.2"
            ],
            "sha256": "2669b72303bd592ba1633febc04bca1f0a8804d8546baf21b5f3f12baaa80f29",
            "id": "pypi/2026-03-license-utils-kit/fluxhttp",
            "import_time": "2026-03-26T21:44:48.189983508Z",
            "modified_time": "2026-03-26T20:57:34.789745Z",
            "source": "kam193"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / fluxhttp

Package

Name: fluxhttp; View open source insights on deps.dev
Purl: pkg:pypi/fluxhttp

Affected ranges

Affected versions

Other

1a1

1.*

1.0.1

1.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fluxhttp/MAL-2026-2244.json"