MAL-2026-948

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ethrpc-accounts/MAL-2026-948.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-948
Published
2026-02-19T23:44:13Z
Modified
2026-02-20T00:48:06.817695Z
Summary
Malicious code in ethrpc-accounts (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (6372ce82342ae30022a83501fc348d1c63ec3cb27b19dba0678430efdfeeb077)

This package is a clone of legitimate eth-accounts. The malicious code is hidden in the dependency, ethrpc-keys, which exfiltrates private keys.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-02-old-ethrpc-keys

Reasons (based on the campaign):

  • clones-real-package

  • exfiltration-crypto

  • crypto-related

  • action-hidden-in-lib-usage

  • The malicious code is intentionally included in a dependency of the package

Database specific 
{
    "iocs": {
        "urls": [
            "https://sign-tx.web3rpc.workers.dev/index.php?dpr="
        ],
        "domains": [
            "sign-tx.web3rpc.workers.dev"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-02-old-ethrpc-keys/ethrpc-accounts",
            "import_time": "2026-02-20T00:33:04.49033398Z",
            "sha256": "6372ce82342ae30022a83501fc348d1c63ec3cb27b19dba0678430efdfeeb077",
            "source": "kam193",
            "modified_time": "2026-02-19T23:44:13.407148Z",
            "versions": [
                "0.9.1",
                "0.9.2"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / ethrpc-accounts

Package

Name
ethrpc-accounts
View open source insights on deps.dev
Purl
pkg:pypi/ethrpc-accounts

Affected ranges

Affected versions

0.*
0.9.1
0.9.2

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ethrpc-accounts/MAL-2026-948.json"