Malicious code in anthropickit (PyPI)

---

__

Source: amazon-inspector (f3e103a8a230b5fb3066fb0a9eb7f5fdf5831d4c7b71a9d83de54d8d6673eae2)

On pip install, setup.py collects the contents of every file in ~/.ssh (excluding known_hosts and authorized_keys, so private keys are read), all environment variables whose names contain KEY/SECRET/TOKEN/PASS/AUTH/API, plus the hostname and USER. The collected data is written to /tmp/runner_exfil.json and POSTed to https://enqqnvvtgrnyl.x.pipedream.net/. The package body is otherwise empty (init.py only sets version), the PKG-INFO metadata is all UNKNOWN, and the version is the sentinel 999.9.9 — a dependency-confusion pattern targeting developers searching for Anthropic-related tooling. Any installer (especially CI runners) running pip install anthropickit immediately loses SSH private keys and credential-shaped environment variables to an attacker-controlled pipedream webhook.

Source: kam193 (ff4126bd465ae6de09a2eaa94a4fd2d7d385a5dae2c093372668d4b7ecb81633)

During installation, the package attempts to exfiltrate sensitive env variables and SSH keys.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-anthropickit

Reasons (based on the campaign):

• exfiltration-ssh-keys

• exfiltration-env-variables