MAL-2026-3180

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nicegui/MAL-2026-3180.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3180

Published

2026-04-29T12:00:00Z

Modified

2026-04-30T23:10:44.384975Z

Summary

Malicious code in nicegui (npm)

Details

Malicious npm package published by threat actor "ryanmccollum1" typosquatting the popular Python NiceGUI framework. Part of the same supply chain attack campaign as redeem-onchain-sdk, which collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and git history, exfiltrating over a raw TCP socket to an AWS-hosted C2. Published by threat actor "ryanmccollum1" as part of the same campaign as redeem-onchain-sdk.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bdc02f08ae75f2010d8b5df4b7b4f083b25f30e8d4c8b8aee4c5c1f988e416ed)

The package nicegui was found to contain malicious code.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-04-30T22:23:11.965908444Z",
            "sha256": "bdc02f08ae75f2010d8b5df4b7b4f083b25f30e8d4c8b8aee4c5c1f988e416ed",
            "source": "amazon-inspector",
            "modified_time": "2026-04-30T21:59:18Z",
            "versions": [
                "0.1.4"
            ]
        }
    ]
}

References

https://safedep.io/redeem-onchain-sdk-polymarket-npm-malware/

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / nicegui

Package

Name: nicegui; View open source insights on deps.dev
Purl: pkg:npm/nicegui

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nicegui/MAL-2026-3180.json"