MAL-2026-26

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pdatainstaller/MAL-2026-26.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-26
Published
2026-01-02T17:21:23Z
Modified
2026-02-23T02:57:26.816200Z
Summary
Malicious code in pdatainstaller (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (671a0098c14338197a26cb64b7f5c35c0e741f3151313fff784bc7a4862ad579)

Package is designed to download and execute a remote script, but the script itself seems to be broken (missing or wrong URLs). It's most probably a test before next packages with real malicious content.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-12-pdatainstaller

Reasons (based on the campaign):

  • Downloads and executes a remote malicious script.

  • malware

  • Downloads and executes a remote executable.

Database specific
{
    "iocs": {
        "urls": [
            "https://pastebin.com/raw/s5WB7EtG",
            "https://pastebin.com/raw/c3uYVYbT",
            "https://github.com/uunnkknnoowwnn/dang/raw/refs/heads/main/svchost.exe"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "671a0098c14338197a26cb64b7f5c35c0e741f3151313fff784bc7a4862ad579",
            "id": "pypi/2025-12-pdatainstaller/pdatainstaller",
            "source": "kam193",
            "import_time": "2026-01-03T01:35:30.521984639Z",
            "modified_time": "2026-01-02T17:21:23.366503Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "sha256": "43639109001c8715b46aa2fad8a81b420f3d4b0d33f98429a4446a41071fff11",
            "id": "pypi/2025-12-pdatainstaller/pdatainstaller",
            "source": "kam193",
            "import_time": "2026-01-07T20:40:53.380621668Z",
            "modified_time": "2026-01-02T17:21:23.366503Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "sha256": "a0f61d7119c73856199e3d68b6a50685c53fbe27a1de18134f9e9d61e239e3cf",
            "id": "pypi/2025-12-pdatainstaller/pdatainstaller",
            "source": "kam193",
            "import_time": "2026-01-14T21:39:18.451950637Z",
            "modified_time": "2026-01-02T17:21:23.366503Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "sha256": "00ea1e05067a79da4cbe3d2d1a8a98e7599dc0ef49319046391ca397ceb4730e",
            "id": "pypi/2025-12-pdatainstaller/pdatainstaller",
            "source": "kam193",
            "import_time": "2026-01-19T07:14:29.762141154Z",
            "modified_time": "2026-01-02T17:21:23.366503Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / pdatainstaller

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pdatainstaller/MAL-2026-26.json"