license-utils-kit @0.1rc3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-2084
Ecosystem
pypi
Summary
Malicious clone of legitimate "license" package. When using the find_by_key function, the malicious code from strongly obfuscated files is loaded. It then at least collects data from cryptowallets and password managers and exfiltrate them to a hardcoded remote location. Prior version 0.1b2, the malicious code was hosted externally and downloaded when triggered. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-03-license-utils-kit Reasons (based on the campaign): - infostealer - obfuscation - crypto-related - action-hidden-in-lib-usage - exfiltration-credentials - clones-real-package
Source: kam193 (eb0116c55754c947c819c966f213a99864511536a414619cf3154b89be59f9e8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.