—

MAL-2026-4829

Malicious code in quatres (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: kam193 (0d720315dd49970cfc00c39f4e377485b2746a4fc24f42dec7e79d0749ab9a7d) During import, the hidden code downloads and executes the second-stage code. After performing anti-analysis checks, it downloads a malicious executable and ensures its persistence.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-helu

Reasons (based on the campaign):

- obfuscation

- Downloads and executes a remote malicious script.

- The package contains code to detect if it is running in a sandbox environment.

- Downloads and executes a remote executable.

- malware

- persistence

- covering-tracks

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / quatres

No fixed version published yet for quatres (pip). Pin to a known-safe version or switch to an alternative.

References

https://www.virustotal.com/gui/file/a14d17cd9f2e983795ed63f73373b94cb9eb047044a7b2f5269ac10c7db0499a/detection [EVIDENCE]
https://bad-packages.kam193.eu/pypi/package/quatres [WEB]