amazon-boto @1.42.42
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-3148
Ecosystem
pypi
Summary
When using the package, the given AWS credentials are silently exfiltrated to a hardcoded location. This incarnation of the long-running campaign was first flagged by OpenSourceMalware https://opensourcemalware.com/pypi/amazon-boto --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-08-aws-enumerate Reasons (based on the campaign): - exfiltration-generic - action-hidden-in-lib-usage - exfiltration-credentials
Source: kam193 (649bb559f3078565515a9fee16dbe78e0d1b5575943cbaf020135f8e70e2f17d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.