MAL-2026-3210

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (10408decaf8cace14b8124fa392ee96996c3c91358cb454cbfcd45790d18cdf9)

Package contains code to exfiltrate .env to a remote target. Prior to version 2.1.1, it also created a persistent backdoor via embedding a hardcoded SSH key. Malicious action is triggered when running as a module.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-renderctx

Reasons (based on the campaign):

backdoor
files-exfiltration
crypto-related
The malicious code is intentionally included in a dependency of the package

Affected Packages

graphicsctxr

PyPI

Affected versions:

1.0.11.0.21.0.31.0.42.1.12.2.12.2.22.2.3

References

WEB

https://bad-packages.kam193.eu/pypi/package/graphicsctxr

WEB

https://github.com/0xsebasneuron

WEB

https://github.com/0xsebasneuron/polymarket-arbitrage-copy-trading-bot-V2/commit/4dae9aea3c35a627a7f38a28946f73af18930a3e#diff-4d7c51b1efe9043e44439a949dfd92e5827321b34082903477fd04876edb7552

WEB

https://socket.dev/supply-chain-attacks/north-korea-s-contagious-interview-campaign