gangomodule @1.0.37
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-2486
Ecosystem
pypi
Summary
During installation, obfuscated code validates the environment against typical sandboxing signs and attempts to download the next stages from remote sources. The remote stage is a comprehensive infostealer collecting credentials from files and process memory, especially SSH keys, and covering tracks to make the forensic analysis more difficult. Naming suggests relation with a toolkit called "Aether" --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-04-gangomodule Reasons (based on the campaign): - Downloads and executes a remote malicious script. - The package contains code to detect if it is running in a sandbox environment. - obfuscation - infostealer - exfiltration-credentials - exfiltration-ssh-keys - files-exfiltration - exfiltration-env-variables - exfiltration-generic - covering-tracks
Source: kam193 (8117683c90fb188f9fc013b3b3006dc5e31269d2511dd7c80eea9ac7b6892d09)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.