mal-2026-2516
Vulnerability from ossf_malicious_packages
Published
2026-04-08 16:31
Modified
2026-04-08 16:31
Summary
Malicious code in sentinel-tool (PyPI)
Details
-= Per source details. Do not edit below this line.=-
Source: kam193 (5a2ff07802c4546c40d47d3780971506115297a1e8c177be36ad1e003dd62937)
The package installs a remote executable that uses a hardcoded Telegram channel for monitoring the user's activity, including regularly taking screenshots, and some remote control possibilities like switching the computer off and grabbing clipboard content. Some content suggests it was designed to be used by the uploader themself, but it poses the risk to anyone installing it.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-04-sentinel-tool
Reasons (based on the campaign):
-
Downloads and executes a remote executable.
-
spyware-like
Credits
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "sentinel-tool"
},
"versions": [
"0.1",
"0.2",
"0.3",
"0.4",
"0.5",
"0.6"
]
}
],
"credits": [
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)",
"type": "REPORTER"
}
],
"database_specific": {
"iocs": {
"urls": [
"https://raw.githubusercontent.com/offc559-crypto/senitel/main/Sentinel.exe"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2026-04-sentinel-tool/sentinel-tool",
"import_time": "2026-04-08T16:56:45.491035065Z",
"modified_time": "2026-04-08T16:31:08.27997Z",
"sha256": "5a2ff07802c4546c40d47d3780971506115297a1e8c177be36ad1e003dd62937",
"source": "kam193",
"versions": [
"0.1",
"0.2",
"0.3",
"0.4",
"0.5",
"0.6"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (5a2ff07802c4546c40d47d3780971506115297a1e8c177be36ad1e003dd62937)\nThe package installs a remote executable that uses a hardcoded Telegram channel for monitoring the user\u0027s activity, including regularly taking screenshots, and some remote control possibilities like switching the computer off and grabbing clipboard content. Some content suggests it was designed to be used by the uploader themself, but it poses the risk to anyone installing it.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-04-sentinel-tool\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - spyware-like\n",
"id": "MAL-2026-2516",
"modified": "2026-04-08T16:31:08Z",
"published": "2026-04-08T16:31:08Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://www.virustotal.com/gui/file/53b5e79fad807e269c8e7fdd924839e911ad58795d62dc09a4733833653b3569/detection"
},
{
"type": "WEB",
"url": "https://bad-packages.kam193.eu/pypi/package/sentinel-tool"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in sentinel-tool (PyPI)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…