ReSMT: An SMT-Based Tool for Reverse Engineering

Software obfuscation techniques make code more difficult to understand, without changing its functionality. Such techniques are often used by authors of malicious software to avoid detection. Reverse Engineering of obfuscated code, i.e., the process of overcoming obfuscation and answering questio...

Malicious code in kzip (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7a81e0fa699edbad810083efb9de4e22f5088c31c22fdf71f7e519269dc5ad01 During initialization of the archive-support class, the package starts code from another file and downloads multi-stage malware --- Category: MALICIOUS - The...

New ClickFix wave infects users with hidden malware in images and fake Windows updates

Several researchers have flagged a new development in the ongoing ClickFix campaign: Attackers are now mimicking a Windows update screen to trick people into running malware. ClickFix campaigns use convincing lures, historically “Human Verification” screens, and now a fake “Windows Update” splash...

MAL-2025-191674 Malicious code in aiogram-msgeffect (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 edd5a99e6d1cebb47e713991f08b50dee4b5bf93ae487f6adc446318ccdba6e7 Importing the module starts obfuscated code which then look for data related to some Telegram clients and attempt to exfiltrate them --- Category: MALICIOUS -...

Malicious code in tgeffect (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e254217ac113edcc1914bdfcda06509137ceed6a7441b3c846653d769335bcaa Importing the module starts obfuscated code which then look for data related to some Telegram clients and attempt to exfiltrate them --- Category: MALICIOUS -...

Malicious code in tikweb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: oracle-using-macaron 56e420aab6cf451bf10ab865d2950af02e45914f0a7618355f7ee8384ddcd858 This malicious package claims to interact with TikTok web features programmatically, but runs malicious obfuscated code upon import and via other...

MAL-2025-47875 Malicious code in tikweb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: oracle-using-macaron 56e420aab6cf451bf10ab865d2950af02e45914f0a7618355f7ee8384ddcd858 This malicious package claims to interact with TikTok web features programmatically, but runs malicious obfuscated code upon import and via other...

New SVG-based phishing campaign is a recipe for disaster

We've written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing. For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in...

VirusTotal Finds 44 Undetected SVG Files Used to Deploy Base64-Encoded Phishing Pages

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics SVG files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal, are distributed via email and designed to execute an embedded...

Malicious code in hashstation (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c4f136247c8a57eee83a1a36ee355c982d900b5f5b570a0936dc1df68db6d5f2 When using methods from the package, it downloads an obfuscated code from Github and puts it in multiple localisation. While it appears that this code is used ...

Malicious code in pycrackhash (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b3323afe460298d80a354497acdd641752c5fb6bce2dce3d7e7625d7a46f1d7c When using methods from the package, it downloads an obfuscated code from Github and puts it in multiple localisation. While it appears that this code is used ...

Malicious code in tensorflowjs (npm)

Package is malicious due to code obfuscation, arbitrary command execution via childprocess.spawn, and suspicious postinstall script. --- -= Per source details. Do not edit below this line.=-...

Malicious code in is (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a1baf574e6278b3c20c30fdd7875414ed04c1a695eb226fd43328004c6916873 "is" had unauthorized new versions published that contained malicious obfuscated code via account compromise...

MAL-2025-6020 Malicious code in is (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a1baf574e6278b3c20c30fdd7875414ed04c1a695eb226fd43328004c6916873 "is" had unauthorized new versions published that contained malicious obfuscated code via account compromise...

MAL-2025-191771 Malicious code in jython-file (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fc56f6ba4b75b25d4289c3aa3cb1d05f9b1d7bbfacf00b11e270d76ba87a1a3e Package attempts to load in an obfuscated way a code from a file not included in the package as well as inject a dynamic library to the Python dynamic libs...

SharPyShell

SharPyShell SharPyShell is a tiny and obfuscated ASP.NET webshell that executes commands received by an encrypted channel compiling them in memory at runtime. SharPyShell supports only C web applications that runs on .NET Framework = 2.0VB is not supported atm. Usage python3 SharPyShell.py genera...

MAL-2025-5829 Malicious code in node-mongoose-orm (npm)

The package employs typosquatting to impersonate a legitimate author and package, and it contains obfuscated code that exfiltrates sensitive user data and creates a backdoor for remote code execution, The core of the malicious activity is found in the package/lib/writer.js file. The lib/writer.js...

Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month

Cybersecurity researchers are calling attention to a "large-scale campaign" that has been observed compromising legitimate websites with malicious JavaScript injections. According to Palo Alto Networks Unit 42, these malicious injects are obfuscated using JSFuck, which refers to an "esoteric and...

Malicious code in caixaequ2ahzoop (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 da1d699d5d12de135ae0da4180622e30084a77fd76ee5cd36fe5667ce14c4bbe Obfuscated code gets a command from the remote target and executes it. At the time of the test, it was just "whoami". Thus, it's rather just an experiment ---...

Malicious npm Package Leverages Unicode Steganography, Google Calendar as C2 Dropper

Cybersecurity researchers have discovered a malicious package named "os-info-checker-es6" that disguises itself as an operating system information utility to stealthily drop a next-stage payload onto compromised systems. "This campaign employs clever Unicode-based steganography to hide its initia...