python-anchor @15.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 8:33 PM UTC
OSV ID
MAL-2026-1435
Ecosystem
pypi
Summary
During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a follow up of the campaign 2026-03-fastapi-middleware-cors --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-03-ariadne-federation Reasons (based on the campaign): - malware - obfuscation - dependency-confusion - typosquatting
Source: kam193 (914b16cbc506c57a77eeed5ae14955bcf3b58fa49da92c2686b56a1d531c5268)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.