{"id":"MAL-2026-3105","summary":"Malicious code in mypypipkg (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (a94a9bbd6a292f754fedd6ae737eaf5259925cf382a610c9d63e9d210a3f3677)\nWhen running as a module, the package starts a VSCode tunnel and exfiltrates the connection link to the hardcoded target. This lets the attacker connect the VSCode instance online and gain remote access to the machine as the user running the code.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-04-old-mypypipkg\n\n\nReasons (based on the campaign):\n\n\n - vscode-tunnel\n","modified":"2026-04-27T22:06:44.774951Z","published":"2026-04-27T21:21:43Z","database_specific":{"malicious-packages-origins":[{"source":"kam193","modified_time":"2026-04-27T21:21:43.687161Z","import_time":"2026-04-27T21:50:25.222107416Z","sha256":"a94a9bbd6a292f754fedd6ae737eaf5259925cf382a610c9d63e9d210a3f3677","versions":["0.1.0","0.1.1"],"id":"pypi/2026-04-old-mypypipkg/mypypipkg"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/mypypipkg"}],"affected":[{"package":{"name":"mypypipkg","ecosystem":"PyPI","purl":"pkg:pypi/mypypipkg"},"versions":["0.1.0","0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mypypipkg/MAL-2026-3105.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}