MAL-2026-5755
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/anthropickit/MAL-2026-5755.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5755
- Published
- 2026-06-14T01:37:46Z
- Modified
- 2026-06-14T08:01:43.723603866Z
- Summary
- Malicious code in anthropickit (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (f3e103a8a230b5fb3066fb0a9eb7f5fdf5831d4c7b71a9d83de54d8d6673eae2)
On
pip install, setup.py collects the contents of every file in ~/.ssh (excluding knownhosts and authorizedkeys, so private keys are read), all environment variables whose names contain KEY/SECRET/TOKEN/PASS/AUTH/API, plus the hostname and USER. The collected data is written to /tmp/runner_exfil.json and POSTed to https://enqqnvvtgrnyl.x.pipedream.net/. The package body is otherwise empty (init.py only sets version), the PKG-INFO metadata is all UNKNOWN, and the version is the sentinel 999.9.9 — a dependency-confusion pattern targeting developers searching for Anthropic-related tooling. Any installer (especially CI runners) runningpip install anthropickitimmediately loses SSH private keys and credential-shaped environment variables to an attacker-controlled pipedream webhook.Source: kam193 (ff4126bd465ae6de09a2eaa94a4fd2d7d385a5dae2c093372668d4b7ecb81633)
During installation, the package attempts to exfiltrate sensitive env variables and SSH keys.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-anthropickit
Reasons (based on the campaign):
exfiltration-ssh-keys
exfiltration-env-variables
- Database specific
{ "malicious-packages-origins": [ { "id": "pypi/2026-06-anthropickit/anthropickit", "import_time": "2026-06-14T02:22:45.870360622Z", "sha256": "ff4126bd465ae6de09a2eaa94a4fd2d7d385a5dae2c093372668d4b7ecb81633", "source": "kam193", "modified_time": "2026-06-14T01:37:47.165599Z", "versions": [ "999.9.9" ] }, { "id": "IN-MAL-2026-006444", "versions": [ "999.9.9" ], "sha256": "584ef638a5415f4eccf6645abbcd06198e9abecf8b75cbd9328aa58962d9b38b", "source": "amazon-inspector", "modified_time": "2026-06-14T07:05:12Z", "import_time": "2026-06-14T07:43:27.142879663Z" }, { "id": "IN-MAL-2026-006443", "versions": [ "999.9.9" ], "sha256": "f3e103a8a230b5fb3066fb0a9eb7f5fdf5831d4c7b71a9d83de54d8d6673eae2", "source": "amazon-inspector", "modified_time": "2026-06-14T07:05:11Z", "import_time": "2026-06-14T07:43:27.08033219Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / anthropickit
Package
- Name
- anthropickit
- View open source insights on deps.dev
- Purl
- pkg:pypi/anthropickit
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "setup.py",
"sha256": "7361a8e38c72a2992890ae755b5df4a304dff5a31368abdf5cd4b354d8b5e56e",
"tlsh": "6b11564de46b2431d777bb4c1c1c8d323b9efd3a17a6b8b5b8ccaf1047496362558218"
},
{
"path": "PKG-INFO",
"sha256": "e7bde94252c51c1ee62011071106d31ae2a3a3be4afcb55e944a858f1e06df18",
"tlsh": "e9c02b4854334133d2d71589246c43d01dd34608244d3cfd404036004b106511f700f3"
}
],
"package_integrity": [
{
"filename": "anthropickit-999.9.9.tar.gz",
"hashes": {
"md5": "7df12487bade710459ccea2d3570cdbc",
"blake2b_256": "4d90ebb6cc11a278e781638995201fb18f530912490fff547478ba75b68ff8ba",
"sha256": "4ae13303fa1663a36cfaa70bebe77b52b12dbf17eef24db15c6c24c631d38fbf"
}
}
],
"ips": [
"104.16.1.34"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/anthropickit/MAL-2026-5755.json"