Which versions of vectordb-engine are malicious?

The following PyPI versions of vectordb-engine are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate vectordb-engine if I installed it?

vectordb-engine is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed vectordb-engine — how do I know if it already compromised me?

If vectordb-engine was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is vectordb-engine part of a known attack campaign?

Yes — vectordb-engine is associated with the IN-MAL-2026-004910, 2026-05-vectordb-engine campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find vectordb-engine across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for vectordb-engine (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging vectordb-engine across your stack and pipelines.

Malicious package

vectordb-enginePyPI

Malicious code in vectordb-engine (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4814

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall vectordb-engine

What this malware does

During pip install, a custom build_ext step in src/vectordb_engine_build.py runs an obfuscated payload that performs targeted reconnaissance and exfiltration. Before doing anything else, it SHA-256-hashes the lowercased machine hostname against an obfuscated salt and compares the digest against three hardcoded allowed-hash constants; if the hostname does not match, the process calls exit() — the canonical shape of a targeted supply-chain implant that lies dormant on non-victim machines. On matching hosts, the script collects hostname, FQDN, OS, architecture, Python version, and OS username, concatenates them with | separators, XOR-encrypts the blob with a hardcoded key, hex-encodes the result, and issues an HTTPS GET to https://vectordbengine.blob.core.windows.net/kernels/?v=<encoded-fingerprint>. A separate function reads environment variables whose names are concealed behind a base85+XOR+zlib decoder (_ORQFVrfoaIJyX4SjOvpEI) and folds the values into the same exfil pipeline, consistent with scraping CI/cloud secrets without leaving readable identifiers in the source. urllib3.disable_warnings() is invoked to suppress TLS warnings. The package metadata uses placeholder publisher identity (VectorDB Contributors, [email protected]) and constructs a cover-story URL https://releases.vectordb-engine.io/kernels that is built into a string but never actually requested — it exists only as a decoy alongside the real Azure blob exfil endpoint. Each of (hostname-allowlist gating with exit() fallback, obfuscated env-var-name scraper feeding a network exfil, host-fingerprint XOR-encoded into a query string against attacker-controlled storage, decoy-domain cover story with placeholder publisher metadata) is independently sufficient evidence of a targeted attack; their joint presence leaves no benign interpretation.

During installation, in the build step, the code performs machine fingerprinting and only in a highly targeted environment, downloads a likely-malicious shared library. The code seems to actually be incomplete.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-vectordb-engine

Reasons (based on the campaign):

Downloads and executes a remote executable.
targetted-attack
obfuscation

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

42695503b90ec4adc30c038c3321d637f05038f841bcc5f463a16b891fe4e3e0

b1908db5bd2b5d1d4a5ab9238d71d6da0147994c2bb812e1ffb7e0e90626e2b4

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for vectordb-engine (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging vectordb-engine across your stack and pipelines.
If you installed it — respond
vectordb-engine is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If vectordb-engine was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks vectordb-engine before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. vectordb-engine on PyPI has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-0049102026-05-vectordb-engine

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Detect & block this

O3 blocks vectordb-engine-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring