Malicious code in d0rk3r (PyPI)

Description

The package declares malicious dependencies. Their activity is however not triggered as since version 1.0.4, the packages releases lack any source code. Malicious dependency was first introduced in version 1.0.5, but the package is likely prepared to be a loader of malicious code from very begining.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-request-cache-py

Reasons (based on the campaign):

infostealer
exfiltration-env-variables
exfiltration-ssh-keys
impersonation
A Telegram webhook is used to send collected data.
exfiltration-browser-data
The package contains code to detect if it is running in a sandbox environment.
exfiltration-credentials
The malicious code is intentionally included in a dependency of the package

Technical details

Affected versions

=1.0.0=1.0.2=1.0.3=1.0.4=1.0.5=1.0.6=1.0.7=1.0.8=1.0.9=1.1.0=1.1.1=1.1.2=1.1.3=1.1.4=1.1.5=1.2.0

Indicators

affected version=1.0.075%
affected version=1.0.275%
affected version=1.0.375%
affected version=1.0.475%
affected version=1.0.575%
affected version=1.0.675%
affected version=1.0.775%
affected version=1.0.875%
affected version=1.0.975%
affected version=1.1.075%
affected version=1.1.175%
affected version=1.1.275%
affected version=1.1.375%
affected version=1.1.475%
affected version=1.1.575%
affected version=1.2.075%

Timeline

Jun 20, 07:24 PMAdvisory published
Jun 21, 06:27 AMIndexed by ThreatPkg

Incident detail

Malicious code in d0rk3r (PyPI)

AI summary

Description

Technical details

Related incidents