MAL-2026-3222

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/graphicsctxs/MAL-2026-3222.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3222

Published

2026-05-01T21:44:03Z

Modified

2026-05-01T22:32:03.654931Z

Summary

Malicious code in graphicsctxs (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (4786ca298bffb09916e622e06411ae44cb51c842a6eb9bf7bcf445c051463888)

Packages in this campaign are used to exfiltrate data from users installing code from prepared Github repositories. Packages contain code to exfiltrate files (typically .env files, but it could also be log, txt or code files), and may also create a persistent backdoor via embedding a hardcoded SSH key or perform other actions. The malicious actions are not triggered via the code in malicious repositories pretending to be some early-stage cryptocurrency-related projects.

Based on the attribution of some NPM packages used in malicious repositories published under https://github.com/0xsebasneuron, this is likely part of North Korean actions targeting developers via fake interviews: https://socket.dev/supply-chain-attacks/north-korea-s-contagious-interview-campaign

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-renderctx

Reasons (based on the campaign):

backdoor
files-exfiltration
crypto-related
The malicious code is intentionally included in a dependency of the package

Database specific

{
    "iocs": {
        "urls": [
            "https://renderkit1.vercel.app",
            "https://ctx-graphics.vercel.app"
        ],
        "domains": [
            "renderkit1.vercel.app",
            "ctx-graphics.vercel.app"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-04-renderctx/graphicsctxs",
            "import_time": "2026-05-01T21:49:05.492980122Z",
            "sha256": "4786ca298bffb09916e622e06411ae44cb51c842a6eb9bf7bcf445c051463888",
            "source": "kam193",
            "modified_time": "2026-05-01T21:44:03.848984Z",
            "versions": [
                "1.0.1"
            ]
        },
        {
            "id": "pypi/2026-04-renderctx/graphicsctxs",
            "import_time": "2026-05-01T22:21:39.8868902Z",
            "sha256": "faa5ee8bfc6fb7836b7892c8b8ed3476fda5c24617fa47c69b45f715e2e743a9",
            "source": "kam193",
            "modified_time": "2026-05-01T21:44:03.848984Z",
            "versions": [
                "1.0.1"
            ]
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / graphicsctxs

Package

Name: graphicsctxs; View open source insights on deps.dev
Purl: pkg:pypi/graphicsctxs

Affected ranges

Affected versions

1.*

1.0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/graphicsctxs/MAL-2026-3222.json"