MAL-2026-2517
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kraken-trader/MAL-2026-2517.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2517
- Published
- 2026-04-08T20:22:02Z
- Modified
- 2026-04-08T21:01:57.724844Z
- Summary
- Malicious code in kraken-trader (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (4bf5ec6e8a6020de1e122cf07f2dde0f02fa1a484ff984586db379729da75523)
The package is a loader of malicious code disguised as remote "credits" code. The remote location, built from the parts in the code, delivers highly obfuscated JavaScript code that could be executed by the node.js runner embeded in the package. While all parts are in the package, it lacks the triggering code. As per Socket.dev attribution, it's a dependency used in North Korean fake interviews campaign.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-04-kraken-trader
Reasons (based on the campaign):
crypto-related
Downloads and executes a remote malicious script.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-04-08T20:48:09.468481012Z", "modified_time": "2026-04-08T20:22:02.842494Z", "sha256": "4bf5ec6e8a6020de1e122cf07f2dde0f02fa1a484ff984586db379729da75523", "source": "kam193", "versions": [ "1.0.0", "1.0.1" ], "id": "pypi/2026-04-kraken-trader/kraken-trader" } ], "iocs": { "domains": [ "bet.slotgambit.com" ], "urls": [ "https://bet.slotgambit.com/icons/112" ] } }- References
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / kraken-trader
Package
- Name
- kraken-trader
- View open source insights on deps.dev
- Purl
- pkg:pypi/kraken-trader