MAL-2026-3396

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ninja-core-optimizer/MAL-2026-3396.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3396

Published

2026-05-08T14:04:00Z

Modified

2026-05-12T22:02:56.602162Z

Summary

Malicious code in ninja-core-optimizer (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (fbe38f659a9fac5304f648aa594e12123221abd687755378f05b3efe17d6d4c7)

During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-ninja-core-utils

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.
obfuscation
crypto-related
exfiltration-crypto
backdoor

Database specific

{
    "iocs": {
        "ips": [
            "144.126.142.148"
        ],
        "urls": [
            "http://144.126.142.148:5555/tao"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-05-ninja-core-utils/ninja-core-optimizer",
            "sha256": "7421b043b7d687849d0a75da8ecf204604e61b20efc5cf5b18bd3648225e4011",
            "import_time": "2026-05-08T14:40:52.976669564Z",
            "source": "kam193",
            "modified_time": "2026-05-08T14:24:06.867122Z",
            "versions": [
                "1.3.3",
                "1.3.4"
            ]
        },
        {
            "id": "pypi/2026-05-ninja-core-utils/ninja-core-optimizer",
            "sha256": "fbe38f659a9fac5304f648aa594e12123221abd687755378f05b3efe17d6d4c7",
            "import_time": "2026-05-09T17:23:17.193207998Z",
            "source": "kam193",
            "modified_time": "2026-05-08T14:24:06.867122Z",
            "versions": [
                "1.3.3",
                "1.3.4"
            ]
        },
        {
            "id": "pypi/2026-05-ninja-core-utils/ninja-core-optimizer",
            "sha256": "f3b0b000f1baa5e720574c744c51968be3cd230bf5a4d8b451ddf0709e87d2f0",
            "import_time": "2026-05-12T21:56:03.343303052Z",
            "source": "kam193",
            "modified_time": "2026-05-08T14:24:06.867122Z",
            "versions": [
                "1.3.3",
                "1.3.4"
            ]
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/ninja-core-optimizer

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / ninja-core-optimizer

Package

Name: ninja-core-optimizer; View open source insights on deps.dev
Purl: pkg:pypi/ninja-core-optimizer

Affected ranges

Affected versions

1.*

1.3.3

1.3.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ninja-core-optimizer/MAL-2026-3396.json"