VDB
KO

MAL-2026-2945

Malicious code in moonbit-locale-compat (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: kam193 (d42bb32adb1fb5f388368b9e4ab382bfbc8cd7f62dab4c70a8563a448ce9c2af) Campaign includes a chain of dependencies that finally exfiltrate sensitive environment variables to a hardcoded GitHub repository as exfiltration target, and in specific environments also start a reverse shell. It appears to be targeting specifically one GitHub project, where the front-end package was included in a PR.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-moonbit-locale-compat

Reasons (based on the campaign):

- The malicious code is intentionally included in a dependency of the package

- The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

- exfiltration-env-variables

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / moonbit-locale-compat

No fixed version published yet for moonbit-locale-compat (pip). Pin to a known-safe version or switch to an alternative.

References