pypi · Malicious package advisory
Malwaredata-harvester
MAL-2026-10191
Malicious code in data-harvester (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (21c2e2c21d9afac9277d95589962d33a09651a5b6ef7e0b3c9e07aee56af213f) On first import, data_harvester/__init__.py decodes a base64-embedded ~486KB Linux ELF, writes it to ~/.config/.npm-cache/snapd-network, sets mode 0777, and installs a user crontab entry (0 */12 * * *) to re-execute it every 12 hours. The binary is disguised under a system-service-like name in a hidden.npm-cache directory that maps to no real npm or snapd path. The init code then recursively removes the package's own dist-info/egg-info and __pycache__ directories, erasing evidence while the dropped binary and cron entry persist. ## Source: kam193 (d9ff3c2a82fba71167baaab535551bcb60a32bf4eb1bdd355ef3314d493771c4) The package embeds an executable stealing cryptocurrency wallets data. During import, code saves the executable under a name suggesting system utility and configures cron to run it periodically. The exfiltrated data is encrypted using embedded RSA code before uploading to file-sharing services or IPFS. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-py-base58 Reasons (based on the campaign): - crypto-related - exfiltration-crypto - persistence
Compromised versions (1)
- 0.3.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.