THREATPKG
SYNC STALE
Supply-chain threat intelligence
Incident detail
Risk score
92
AI summary
Indexed incident for parsimonius (pypi).
Description
Clone of a legitimate package with an added RAT running through a Telegram bot. It can e.g. exfiltrate env variables and execute remote commands. The malicious action does not start if the geolocation or timezone suggests a Russian area.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-parsimonius
Reasons (based on the campaign):
typosquatting
exfiltration-env-variables
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
rat
clones-real-package
abuses-pth
geo-restricted
uses-telegram-bot
Technical details
Indicators
- affected version<function fixed() { [native code] }75%
- affected version<function fixed() { [native code] }75%
- affected version<function fixed() { [native code] }75%
- affected version<function fixed() { [native code] }75%
- affected version<function fixed() { [native code] }75%
- affected version<function fixed() { [native code] }75%
- affected version<function fixed() { [native code] }75%
- affected version<function fixed() { [native code] }75%
- affected version<function fixed() { [native code] }75%
Timeline
- Advisory published
- Indexed by ThreatPkg
Related incidents
- Malicious code in cdktn-provider-datadog (PyPI)cdktn-provider-datadog92
- Malicious code in cdktn-provider-newrelic (PyPI)cdktn-provider-newrelic92
- Malicious code in ggk-happy (npm)ggk-happy92
- Malicious code in vue-compiler-sfc-plugin (npm)vue-compiler-sfc-plugin92
- Malicious code in license-checker-plus (npm)license-checker-plus92