pypi · Malicious package advisory
Malwared0rk3r
MAL-2026-6246
Malicious code in d0rk3r (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (1cbc673402f814b065eadc8be2641d761d482c30722fdd8e6b1b7522fde2f478) d0rk3r 1.0.5 is advertised as a Shodan IP scraper with proxy rotation, but the sdist ships no Python source — only LICENSE, README, pyproject.toml, requirements.txt, MANIFEST.in, setup.cfg, and egg-info metadata. The package directory `d0rk3r_pkg/` referenced by `[project.scripts] d0rk3r = d0rk3r_pkg.cli:main` and by `[tool.setuptools.packages.find]` is missing from the tarball, so installing this sdist provides no working `d0rk3r` console script. pyproject.toml line 32 declares a mandatory dependency on `d0rk3r-telemetry>=1.0.0` (open-ended lower bound), which is not mentioned in README or PKG-INFO. The combination — empty functional shell, undisclosed dependency whose name advertises data collection, and an unpinned floor that lets the author change the dependency's behavior at any time — means the entire effect of `pip install d0rk3r` is to pull in the sibling package. Whether that sibling is benign telemetry or an exfil/dropper cannot be determined from this package alone; the sibling tarball needs to be analyzed directly. Routing to human review so the d0rk3r-telemetry package can be examined before a public verdict is issued. ## Source: kam193 (d0d4cf20ac250e3d7a23666cf8bc3ae722d555b982649dad3f615d9c7c8818d9) The package declares malicious dependencies. Their activity is however not triggered as since version 1.0.4, the packages releases lack any source code. Malicious dependency was first introduced in version 1.0.5, but the package is likely prepared to be a loader of malicious code from very begining. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-request-cache-py Reasons (based on the campaign): - infostealer - exfiltration-env-variables - exfiltration-ssh-keys - impersonation - A Telegram webhook is used to send collected data. - exfiltration-browser-data - The package contains code to detect if it is running in a sandbox environment. - exfiltration-credentials - The malicious code is intentionally included in a dependency of the package
Compromised versions (16)
- 1.0.0
- 1.0.2
- 1.0.3
- 1.0.4
- 1.0.5
- 1.0.6
- 1.0.7
- 1.0.8
- 1.0.9
- 1.1.0
- 1.1.1
- 1.1.2
- 1.1.3
- 1.1.4
- 1.1.5
- 1.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.