MAL-2026-825
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/devtools-webhook-cicd-utils/MAL-2026-825.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-825
- Published
- 2026-02-10T07:42:45Z
- Modified
- 2026-02-10T08:56:16.468422Z
- Summary
- Malicious code in devtools-webhook-cicd-utils (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (807557cb6ac51aece00eeb28f55b89815176c95172780dcdded46b667f843771)
During installation, package installs a script that listens for remote commands and executes them. The script is also added to autostart configuration and disguised as system application
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-02-devtools-webhook-cicd-utils
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
peristence-autorun
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
obfuscation
- Database specific
{ "iocs": { "ips": [ "77.246.103.245" ] }, "malicious-packages-origins": [ { "sha256": "807557cb6ac51aece00eeb28f55b89815176c95172780dcdded46b667f843771", "id": "pypi/2026-02-devtools-webhook-cicd-utils/devtools-webhook-cicd-utils", "source": "kam193", "modified_time": "2026-02-10T07:42:45.225273Z", "import_time": "2026-02-10T08:20:58.665281586Z", "versions": [ "1.4.7", "1.5.0", "1.5.1", "1.6.0" ] } ] }- References
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / devtools-webhook-cicd-utils
Package
- Name
- devtools-webhook-cicd-utils
- View open source insights on deps.dev
- Purl
- pkg:pypi/devtools-webhook-cicd-utils