MAL-2026-3127
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/coloreasyprint/MAL-2026-3127.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3127
- Published
- 2026-04-28T08:25:33Z
- Modified
- 2026-04-28T09:32:04.166889Z
- Summary
- Malicious code in coloreasyprint (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (d52af876a91a6ff5ff8144b705201fd465db94ad89f0e1b37bd22fe6ca0f5622)
During import, the code downloads and executes encrypted payload from remote location. During analysis, remote code was prepared to download the next stage executable. This is likely selectively delivered to victims as the code polls the C2 server periodically with the local hostname and awaits the next stage to download.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-04-pathjoin
Reasons (based on the campaign):
obfuscation
Downloads and executes a remote malicious script.
- Database specific
{ "iocs": { "domains": [ "brainwavehub.org", "gifpngstore.com" ], "urls": [ "https://gifpngstore.com/test/dataP.php" ] }, "malicious-packages-origins": [ { "source": "kam193", "modified_time": "2026-04-28T08:25:33.987462Z", "id": "pypi/2026-04-pathjoin/coloreasyprint", "sha256": "d52af876a91a6ff5ff8144b705201fd465db94ad89f0e1b37bd22fe6ca0f5622", "versions": [ "0.4.7.dev1", "0.4.7.dev2", "0.4.7.dev3" ], "import_time": "2026-04-28T09:18:57.566762197Z" } ] }- References
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / coloreasyprint
Package
- Name
- coloreasyprint
- View open source insights on deps.dev
- Purl
- pkg:pypi/coloreasyprint