MAL-2026-6246
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/d0rk3r/MAL-2026-6246.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6246
- Published
- 2026-06-20T19:24:10Z
- Modified
- 2026-06-20T20:46:00.196067912Z
- Summary
- Malicious code in d0rk3r (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (d0d4cf20ac250e3d7a23666cf8bc3ae722d555b982649dad3f615d9c7c8818d9)
The package declares malicious dependencies. Their activity is however not triggered as since version 1.0.4, the packages releases lack any source code. Malicious dependency was first introduced in version 1.0.5, but the package is likely prepared to be a loader of malicious code from very begining.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-request-cache-py
Reasons (based on the campaign):
infostealer
exfiltration-env-variables
exfiltration-ssh-keys
impersonation
A Telegram webhook is used to send collected data.
exfiltration-browser-data
The package contains code to detect if it is running in a sandbox environment.
exfiltration-credentials
The malicious code is intentionally included in a dependency of the package
- Database specific
{ "iocs": { "domains": [ "analytics-collector.herokuapp.com" ], "urls": [ "https://analytics-collector.herokuapp.com/events" ] }, "malicious-packages-origins": [ { "sha256": "d0d4cf20ac250e3d7a23666cf8bc3ae722d555b982649dad3f615d9c7c8818d9", "id": "pypi/2026-06-request-cache-py/d0rk3r", "source": "kam193", "modified_time": "2026-06-20T19:24:10.076442Z", "versions": [ "1.0.0", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.2.0" ], "import_time": "2026-06-20T20:33:32.529169638Z" } ] }- References
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / d0rk3r
Package
- Name
- d0rk3r
- View open source insights on deps.dev
- Purl
- pkg:pypi/d0rk3r