{"schema_version":"1.7.3","id":"MAL-2026-849","published":"2026-02-11T06:56:16Z","modified":"2026-02-11T07:50:19.127169Z","summary":"Malicious code in jsonconfig-utils (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (883897a307b53ac17e981eac46b8d6f8c31d88fc2628c6d57c5f7f191ed84b81)\nDuring installation, package installs a script that listens for remote commands and executes them. The script is also added to autostart configuration and disguised as system application\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-devtools-webhook-cicd-utils\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - peristence-autorun\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n\n\n - obfuscation\n","affected":[{"package":{"name":"jsonconfig-utils","ecosystem":"PyPI","purl":"pkg:pypi/jsonconfig-utils"},"versions":["1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.0.10","1.0.11"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/jsonconfig-utils/MAL-2026-849.json"}}],"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/jsonconfig-utils"}],"database_specific":{"iocs":{"ips":["77.246.103.245"]},"malicious-packages-origins":[{"id":"pypi/2026-02-devtools-webhook-cicd-utils/jsonconfig-utils","import_time":"2026-02-11T07:27:38.367855281Z","modified_time":"2026-02-11T06:56:16.904497Z","sha256":"883897a307b53ac17e981eac46b8d6f8c31d88fc2628c6d57c5f7f191ed84b81","source":"kam193","versions":["1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.0.10","1.0.11"]}]},"credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}