MAL-2026-811
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/grokwrapper/MAL-2026-811.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-811
- Published
- 2026-02-08T10:34:16Z
- Modified
- 2026-02-26T10:12:42.712934Z
- Summary
- Malicious code in grokwrapper (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (a7ae896464be7f195243e35231a2435d0a1eb055cc7fa8cfaef707c7e11c55b2)
During importing the module, package silently execute code hidden in an embedded config file, and downloads remote executable. It's then added to Run registry key for persistence and started.
During analysis, the executable was not detected by antiviruses.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-02-grokwrapper
Reasons (based on the campaign):
Downloads and executes a remote executable.
obfuscation
peristence-autorun
- Database specific
{ "iocs": { "urls": [ "https://dl.dropboxusercontent.com/scl/fi/su8ks7znqh6lzkd9n26yt/PenisKOZLA.gif?rlkey=6otsosk8q7bjv2z44i16bmblo&st=ehtbhkv8&dl=1" ] }, "malicious-packages-origins": [ { "id": "pypi/2026-02-grokwrapper/grokwrapper", "sha256": "a7ae896464be7f195243e35231a2435d0a1eb055cc7fa8cfaef707c7e11c55b2", "source": "kam193", "versions": [ "0.1.0", "0.2.0" ], "modified_time": "2026-02-08T10:34:16.102765Z", "import_time": "2026-02-08T10:44:49.658863606Z" }, { "id": "pypi/2026-02-grokwrapper/grokwrapper", "sha256": "6a020c1f62988aa0b040fe97d8a8444b8e38e3a8cdd62197795d96fdd8a0c8b3", "source": "kam193", "versions": [ "0.1.0", "0.2.0" ], "modified_time": "2026-02-08T10:34:16.102765Z", "import_time": "2026-02-26T09:49:02.311151596Z" } ] }- References
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / grokwrapper
Package
- Name
- grokwrapper
- View open source insights on deps.dev
- Purl
- pkg:pypi/grokwrapper