MAL-2026-3031
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/swampo/MAL-2026-3031.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3031
- Published
- 2026-04-24T18:55:32Z
- Modified
- 2026-04-24T20:03:23.507384Z
- Summary
- Malicious code in swampo (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (7b8e193e75e6ca7d387f21b53c251e6ee8791d9ec4ca3f37099e765415d36157)
Multi-stage dropper. The "analytics" functionality fetches fake updates information that should contain the next URL. From it, a yet another URL is downloaded, and then used to perform TXT DNS queries holding the encoded next URL. From this URL, a remote script is fetched and executed. During analysis, retrieving the final payload was not successful.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-04-swampo
Reasons (based on the campaign):
Downloads and executes a remote malicious script.
action-hidden-in-lib-usage
- Database specific
{ "iocs": { "domains": [ "swampo-update.vercel.app", "swampo-c2.vercel.app", "swampo-stage2.de-zahlung.info" ], "urls": [ "https://swampo-update.vercel.app/v1/check", "https://swampo-c2.vercel.app/manifest", "https://api.counterapi.dev/v2/swampon/swampo/up" ] }, "malicious-packages-origins": [ { "sha256": "7b8e193e75e6ca7d387f21b53c251e6ee8791d9ec4ca3f37099e765415d36157", "id": "pypi/2026-04-swampo/swampo", "source": "kam193", "modified_time": "2026-04-24T18:55:32.851161Z", "import_time": "2026-04-24T19:48:59.318564968Z", "versions": [ "1.2.9", "1.3.4", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.4.0", "1.4.1", "1.4.2", "1.5.0", "1.5.1", "1.5.2", "1.5.3", "1.5.4", "1.5.6", "1.5.7", "1.5.8", "1.7.0", "1.7.1" ] } ] }- References
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / swampo
Package
- Name
- swampo
- View open source insights on deps.dev
- Purl
- pkg:pypi/swampo