MAL-2026-2945
Malicious code in moonbit-locale-compat (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: kam193 (d42bb32adb1fb5f388368b9e4ab382bfbc8cd7f62dab4c70a8563a448ce9c2af) Campaign includes a chain of dependencies that finally exfiltrate sensitive environment variables to a hardcoded GitHub repository as exfiltration target, and in specific environments also start a reverse shell. It appears to be targeting specifically one GitHub project, where the front-end package was included in a PR.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-04-moonbit-locale-compat
Reasons (based on the campaign):
- The malicious code is intentionally included in a dependency of the package
- The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
- exfiltration-env-variables
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for moonbit-locale-compat (pip). Pin to a known-safe version or switch to an alternative.
References
- https://github.com/zongen01/wechat-editor-studio/pull/2/changes#diff-d9555f91ec2cf16d2b3d23115fe3cf6600fa8b42627de82a81da48191c54d99c [WEB]
- https://bad-packages.kam193.eu/pypi/package/moonbit-locale-compat [WEB]
- https://github.com/DiamondFrontline/wechat-editor-studio/commit/3c61484843fbc7fbeb5e81149296aa7843570ee1 [WEB]