Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in jupiter-sdk (PyPI)

jupiter-sdk

Risk score

92

AI summary

Indexed incident for jupiter-sdk (pypi).

Description

On import jupiter_sdk, the package's top-level init.py fetches a payload over HTTPS from a public IPFS gateway (https://gateway.pinata.cloud/ipfs/QmP2RrfNCNabLzPYncMGgFwAmttDafczpJLS8oxvQRBVqg), passes the response body directly to exec(), and invokes a main() function from the executed namespace, with errors silently swallowed. The URL is content-addressed to an IPFS CID with no signature or hash verification of the executed content beyond the CID, and the fetched code is not shipped with the package. The package presents itself as a 'Jupiter DEX Aggregator SDK' but its exported API (get_quote, get_token_list, get_routes) returns hardcoded dummy values and performs no real Jupiter calls, so the only functional behavior on install/import is the remote code loader. The name resembles the widely used Jupiter aggregator ecosystem while performing arbitrary remote code execution against any environment that imports it.

During import, the code downloads and executes a remote script. The script collects sensitive files, including cryptocurrency wallet private keys and seeds, SSH keys, dotenv files and uploads them to IPFS. After that, it communicates with C2 and awaits further commands to execute.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-metemask-sdk

Reasons (based on the campaign):

  • files-exfiltration

  • typosquatting

  • exfiltration-ssh-keys

  • crypto-related

  • Downloads and executes a remote malicious script.

  • exfiltration-crypto

  • The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

  • uses:ipfs

Technical details

Affected versions

=0.1.0=0.1.1

Indicators

  • affected version=0.1.075%
  • affected version=0.1.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents