—

MAL-2026-6138

Malicious code in randpicker (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: kam193 (378d07b700aa25d356594d7b1c42db107def3dbd1cce734e4c1c50b411048eb6) When calling the `Email` function, the code creates a backdoor script and attempts to achieve persistence. The script connects to a Telegram bot and awaits commands to execute.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-old-randpicker

Reasons (based on the campaign):

- action-hidden-in-lib-usage

- The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

- backdoor

- uses-telegram-bot

- persistence

- peristence-autorun

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / randpicker

No fixed version published yet for randpicker (pip). Pin to a known-safe version or switch to an alternative.

References

https://opensourcemalware.com/pypi/randpicker [WEB]
https://bad-packages.kam193.eu/pypi/package/randpicker [WEB]