-= Per source details. Do not edit below this line.=-
Campaign includes a chain of dependencies that finally exfiltrate sensitive environment variables to a hardcoded GitHub repository as exfiltration target, and in specific environments also start a reverse shell. It appears to be targeting specifically one GitHub project, where the front-end package was included in a PR.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-04-moonbit-locale-compat
Reasons (based on the campaign):
The malicious code is intentionally included in a dependency of the package
The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
exfiltration-env-variables
{
"malicious-packages-origins": [
{
"modified_time": "2026-04-20T08:12:08.76337Z",
"id": "pypi/2026-04-moonbit-locale-compat/moonbit-locale-compat",
"source": "kam193",
"import_time": "2026-04-20T08:51:57.122908508Z",
"sha256": "d42bb32adb1fb5f388368b9e4ab382bfbc8cd7f62dab4c70a8563a448ce9c2af",
"versions": [
"0.2.1",
"0.2.3",
"0.2.4"
]
},
{
"sha256": "d78a796f48577a4aacd59312b19e5aba799631ce77b36bebb5c64c4e523cd9b8",
"id": "pypi/2026-04-moonbit-locale-compat/moonbit-locale-compat",
"source": "kam193",
"import_time": "2026-04-20T09:41:09.786566586Z",
"modified_time": "2026-04-20T08:12:08.76337Z",
"versions": [
"0.2.1",
"0.2.3",
"0.2.4"
]
},
{
"sha256": "c58559e9912d5dcd09f75a8e6c0256074d834d82f81cb7ac917a8273bde496ce",
"id": "RLMA-2026-02099",
"source": "reversing-labs",
"import_time": "2026-07-09T09:11:39.204137879Z",
"modified_time": "2026-07-07T11:49:45Z",
"versions": [
"0.2.1",
"0.2.3",
"0.2.4"
]
}
]
}