apachelicense @0.1a1
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-2119
Ecosystem
pypi
Summary
Malicious clone of legitimate "license" package. When using the find_by_key function, the malicious code from strongly obfuscated files is loaded. It then at least collects data from cryptowallets and password managers and exfiltrate them to a hardcoded remote location. Prior version 0.1b2, the malicious code was hosted externally and downloaded when triggered. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-03-license-utils-kit Reasons (based on the campaign): - infostealer - obfuscation - crypto-related - action-hidden-in-lib-usage - exfiltration-credentials - clones-real-package
Source: kam193 (9d96d45a87e117e72107d6d6dfbe8c4e94323323bc28ce9accd8ccba39a0a46c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.