MAL-2026-901

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/platforms/MAL-2026-901.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-901
Published
2026-02-14T12:29:36Z
Modified
2026-02-14T13:32:06.428122Z
Summary
Malicious code in platforms (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (152f27ebcd7a8c662ffcbfe69086e0a50e71f73993bc7d97ce3bb67896c8a4dc)

During importing, the code automatically starts a Telegram bot designed to download and save files locally upon a specific message in the channel. While this seems to have limited harm, this behavior is not disclosed and involved packages have typosquatting-like names. The core code is in the "platforms" package

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-02-old-platforms

Reasons (based on the campaign):

  • other

  • typosquatting

  • The malicious code is intentionally included in a dependency of the package

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2026-02-14T13:21:48.786935171Z",
            "modified_time": "2026-02-14T12:29:36.983101Z",
            "source": "kam193",
            "sha256": "152f27ebcd7a8c662ffcbfe69086e0a50e71f73993bc7d97ce3bb67896c8a4dc",
            "id": "pypi/2026-02-old-platforms/platforms",
            "versions": [
                "1.0.0",
                "1.0.1",
                "2.0.0",
                "3.0.0",
                "4.0.0",
                "5.0.0",
                "6.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / platforms

Package

Name
platforms
View open source insights on deps.dev
Purl
pkg:pypi/platforms

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
2.*
2.0.0
3.*
3.0.0
4.*
4.0.0
5.*
5.0.0
6.*
6.0.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/platforms/MAL-2026-901.json"