MAL-2026-2486

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/gangomodule/MAL-2026-2486.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-2486

Published

2026-04-04T12:01:55Z

Modified

2026-04-04T13:03:03.584938Z

Summary

Malicious code in gangomodule (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (8117683c90fb188f9fc013b3b3006dc5e31269d2511dd7c80eea9ac7b6892d09)

During installation, obfuscated code validates the environment against typical sandboxing signs and attempts to download the next stages from remote sources. The remote stage is a comprehensive infostealer collecting credentials from files and process memory, especially SSH keys, and covering tracks to make the forensic analysis more difficult. Naming suggests relation with a toolkit called "Aether"

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-gangomodule

Reasons (based on the campaign):

Downloads and executes a remote malicious script.
The package contains code to detect if it is running in a sandbox environment.
obfuscation
infostealer
exfiltration-credentials
exfiltration-ssh-keys
files-exfiltration
exfiltration-env-variables
exfiltration-generic
covering-tracks

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.20",
                "1.0.37"
            ],
            "source": "kam193",
            "import_time": "2026-04-04T12:49:19.501251782Z",
            "modified_time": "2026-04-04T12:01:55.355799Z",
            "id": "pypi/2026-04-gangomodule/gangomodule",
            "sha256": "8117683c90fb188f9fc013b3b3006dc5e31269d2511dd7c80eea9ac7b6892d09"
        }
    ],
    "iocs": {
        "urls": [
            "https://gist.githubusercontent.com/Kostiantyntem/03e0d92babe2a8a835f9718504acaaee/raw/f9c83934de3172d107df839902eb03a36bb31e22/c2.txt",
            "https://godver3isthe.one/stage2/windows/x86_64.zip",
            "https://godver3isthe.one/stage2/linux/x86_64.zip"
        ],
        "domains": [
            "godver3isthe.one"
        ]
    }
}

References

https://bad-packages.kam193.eu/pypi/package/gangomodule

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / gangomodule

Package

Name: gangomodule; View open source insights on deps.dev
Purl: pkg:pypi/gangomodule

Affected ranges

Affected versions

1.*

1.0.20

1.0.37

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/gangomodule/MAL-2026-2486.json"