Skip to content

MALICIOUS (1) campaign cataloged at 2026-05-10(2).

  1. The campaign has clearly malicious intent, like infostealers.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-05-old-django-b64-img

The package provides a special image-storing field for Django REST Framework based on a legitimate implementation from the Hipo/drf-extra-fields repository. The malicious modification appends the cloud credentials and full settings values to the serialized form of specific image types. This way, an attacker can retrieve sensitive values by downloading back once uploaded image.

Abuse categories

backdoor

Campaign uses backdoor.

exfiltration_credentials

The package attempts to steal credentials, like passwords or API keys.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

Packages in the campaign

campaign:2026-05-old-django-b64-img