VDB
KO

MAL-2026-2947

Malicious code in moonbit-schema-utils (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: kam193 (5fd7cc9fd6247802480f37b02a23faadb37c7fa5aded77358015c0861ab980e7) Campaign includes a chain of dependencies that finally exfiltrate sensitive environment variables to a hardcoded GitHub repository as exfiltration target, and in specific environments also start a reverse shell. It appears to be targeting specifically one GitHub project, where the front-end package was included in a PR.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-moonbit-locale-compat

Reasons (based on the campaign):

- The malicious code is intentionally included in a dependency of the package

- The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

- exfiltration-env-variables

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / moonbit-schema-utils

No fixed version published yet for moonbit-schema-utils (pip). Pin to a known-safe version or switch to an alternative.

References