This is an advisory for a malicious package.
We recommend immediate removal of malicious versions of this package. Safety Firewall is actively blocking installation and will help you identify any existing installations of the package.
PyPI: fluxhttp
SFTY-20260326-72648
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (2669b72303bd592ba1633febc04bca1f0a8804d8546baf21b5f3f12baaa80f29) Malicious clone of a legitimate package. When using it, the code attempts to download and execute remote code. In on of the incarnations, the malicious code was embeded in the strongly obfuscated file, which at least collected data from cryptowallets and password managers and exfiltrated them to a hardcoded remote location. The downloaded next stage varies depending on the running platform. On Windows, it's extream obfuscated script. On Linux and MacOS they are binaries, named "systemd-resolved" and "com.apple.systemevents" with clear signs of stealing browsers and cryptocurrency data. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-03-license-utils-kit Reasons (based on the campaign): - infostealer - obfuscation - crypto-related - action-hidden-in-lib-usage - exfiltration-credentials - clones-real-package
Overview
Malicious code in fluxhttp (PyPI)
Advisory
Malicious code in fluxhttp (PyPI)
How to Fix
We recommend updating fluxhttp to the latest non-vulnerable version.
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more