MAL-2026-849
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/jsonconfig-utils/MAL-2026-849.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-849
- Published
- 2026-02-11T06:56:16Z
- Modified
- 2026-02-11T07:50:19.127169Z
- Summary
- Malicious code in jsonconfig-utils (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (883897a307b53ac17e981eac46b8d6f8c31d88fc2628c6d57c5f7f191ed84b81)
During installation, package installs a script that listens for remote commands and executes them. The script is also added to autostart configuration and disguised as system application
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-02-devtools-webhook-cicd-utils
Reasons (based on the campaign):
The package overrides the install command in setup.py to execute malicious code during installation.
peristence-autorun
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
obfuscation
- Database specific
{ "iocs": { "ips": [ "77.246.103.245" ] }, "malicious-packages-origins": [ { "sha256": "883897a307b53ac17e981eac46b8d6f8c31d88fc2628c6d57c5f7f191ed84b81", "id": "pypi/2026-02-devtools-webhook-cicd-utils/jsonconfig-utils", "source": "kam193", "modified_time": "2026-02-11T06:56:16.904497Z", "import_time": "2026-02-11T07:27:38.367855281Z", "versions": [ "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.0.10", "1.0.11" ] } ] }- References
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / jsonconfig-utils
Package
- Name
- jsonconfig-utils
- View open source insights on deps.dev
- Purl
- pkg:pypi/jsonconfig-utils