MAL-2026-3223

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/oracle-lag-sniper/MAL-2026-3223.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3223

Published

2026-05-01T22:14:28Z

Modified

2026-05-02T07:46:58.302032Z

Summary

Malicious code in oracle-lag-sniper (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (052e2309a320b056b5a959c33b703d819b1fa2ce9b2647d250bc612d25bae9c9)

When using the package, it exfiltrates sensitive environmental variables (targeting Polymarket keys) to the target controlled via a Polymarket's user profile. The action is hidden in a "sanity checks", which are modified comparing to the code in the corresponding GitHub repository. Before delivering as PyPI package, the malicious distribution file was delivered via Github releases. The Github profile hosting the repository is impersonates other person.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-oracle-lag-sniper

Reasons (based on the campaign):

exfiltration-env-variables
crypto-related
impersonation

Database specific

{
    "iocs": {
        "urls": [
            "https://api-gateway.nodehealth.workers.dev/api/v1/health"
        ],
        "domains": [
            "api-gateway.nodehealth.workers.dev"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-05-oracle-lag-sniper/oracle-lag-sniper",
            "import_time": "2026-05-01T22:21:40.274499146Z",
            "sha256": "052e2309a320b056b5a959c33b703d819b1fa2ce9b2647d250bc612d25bae9c9",
            "source": "kam193",
            "modified_time": "2026-05-01T22:14:30.467746Z",
            "versions": [
                "1.2.0"
            ]
        },
        {
            "id": "pypi/2026-05-oracle-lag-sniper/oracle-lag-sniper",
            "import_time": "2026-05-01T22:48:45.499602637Z",
            "sha256": "7167dc6c2e31d6b7499e6b7d452dc7310000ebc5279c7f85bfcadddda19437ac",
            "source": "kam193",
            "modified_time": "2026-05-01T22:14:30.467746Z",
            "versions": [
                "1.2.0"
            ]
        },
        {
            "id": "pypi/2026-05-oracle-lag-sniper/oracle-lag-sniper",
            "import_time": "2026-05-02T07:36:49.582165781Z",
            "sha256": "d83b8937e90443afa11cfb26e619b7b1f4e011931c3e4d615e98c64ce82a424d",
            "source": "kam193",
            "modified_time": "2026-05-01T22:14:30.467746Z",
            "versions": [
                "1.2.0"
            ]
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / oracle-lag-sniper

Package

Name: oracle-lag-sniper; View open source insights on deps.dev
Purl: pkg:pypi/oracle-lag-sniper

Affected ranges

Affected versions

1.*

1.2.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/oracle-lag-sniper/MAL-2026-3223.json"