pypi · Malicious package advisory
Malwaredefi-tools
MAL-2026-10192
Malicious code in defi-tools (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (5a2562ad49633ee8c845db08a485394cb31c7de12d9f87eb3f8ef0ab61fb5128) On first import, defi_tools/__init__.py decodes a base64-embedded ~486KB Linux ELF, writes it to ~/.config/.npm-cache/snapd-network, sets mode 0777, and installs a user crontab entry (0 */12 * * *) to re-execute it every 12 hours. The binary is disguised under a system-service-like name in a hidden.npm-cache directory that maps to no real npm or snapd path. The init code then recursively removes the package's own dist-info/egg-info and __pycache__ directories, erasing evidence while the dropped binary and cron entry persist. ## Source: kam193 (965dc1bdb2af9e6f1c5965554eeb9a789ff0b4f8ef2c46e76f05774ac9f3535a) The package embeds an executable stealing cryptocurrency wallets data. During import, code saves the executable under a name suggesting system utility and configures cron to run it periodically. The exfiltrated data is encrypted using embedded RSA code before uploading to file-sharing services or IPFS. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-py-base58 Reasons (based on the campaign): - crypto-related - exfiltration-crypto - persistence
Compromised versions (1)
- 0.8.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.