anthropickit @999.9.9
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5755
Ecosystem
pypi
Summary
On pip install , setup.py collects the contents of every file in ~/.ssh (excluding known_hosts and authorized_keys, so private keys are read), all environment variables whose names contain KEY/SECRET/TOKEN/PASS/AUTH/API, plus the hostname and USER. The collected data is written to /tmp/runner_exfil.json and POSTed to https://enqqnvvtgrnyl.x.pipedream.net/. The package body is otherwise empty (__init__.py only sets __version__), the PKG-INFO metadata is all UNKNOWN, and the version is the sentinel 999.9.9 — a dependency-confusion pattern targeting developers searching for Anthropic-related tooling. Any installer (especially CI runners) running pip install anthropickit immediately loses SSH private keys and credential-shaped environment variables to an attacker-controlled pipedream webhook.
Source: amazon-inspector (f3e103a8a230b5fb3066fb0a9eb7f5fdf5831d4c7b71a9d83de54d8d6673eae2)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.