—

MAL-2026-4357

Malicious code in helu (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: kam193 (15a97c1f0e23d838c86d69a3ceae306071a9b4b8c17162a1f563aefe489ffbe4) During import, the hidden code downloads and executes the second-stage code. After performing anti-analysis checks, it downloads a malicious executable and ensures its persistence.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-helu

Reasons (based on the campaign):

- obfuscation

- Downloads and executes a remote malicious script.

- The package contains code to detect if it is running in a sandbox environment.

- Downloads and executes a remote executable.

- malware

- persistence

- covering-tracks

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / helu

No fixed version published yet for helu (pip). Pin to a known-safe version or switch to an alternative.

References

https://www.virustotal.com/gui/file/a14d17cd9f2e983795ed63f73373b94cb9eb047044a7b2f5269ac10c7db0499a/detection [EVIDENCE]
https://bad-packages.kam193.eu/pypi/package/helu [WEB]