moonbit-locale-compat @0.2.4
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-2945
Ecosystem
pypi
Summary
Campaign includes a chain of dependencies that finally exfiltrate sensitive environment variables to a hardcoded GitHub repository as exfiltration target, and in specific environments also start a reverse shell. It appears to be targeting specifically one GitHub project, where the front-end package was included in a PR. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-04-moonbit-locale-compat Reasons (based on the campaign): - The malicious code is intentionally included in a dependency of the package - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine. - exfiltration-env-variables
Source: kam193 (d42bb32adb1fb5f388368b9e4ab382bfbc8cd7f62dab4c70a8563a448ce9c2af)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.