PyPI Warns of Ongoing Phishing Campaign Using Fake Verification Emails and Lookalike Domain

The maintainers of the Python Package Index PyPI repository have issued a warning about an ongoing phishing attack that's targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "PyPI Email verification" that are sent...

Malicious code in hello-from-shiphero (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 00eb05ac59ee167606a053bd1ac9f705de178f9a576e6fe78bae415d599157b1 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2025-191821 Malicious code in prof-qux (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5b87af8d8f13bd43c1cf3490ea551b8d60fe05a482875597ef2fe5d2c200ca19 Package silently exfiltrates user's credentials ahead of starting the promised functionality. First batch used simple code, the newer attempt to hide...

MAL-2025-6010 Malicious code in ruamel-poc (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1381375ccfff8dc10b3416284ac4a9a91c69bb2d5e7b652a2df24a64f4c5d512 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

MAL-2025-6548 Malicious code in memorylib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 be3ea3afb3553f67411c8bebff9d99282169997e212b5ee1dd14505d1612d551 Installing the package triggers a code that looks like downloading a picture, but in fact downloads and starts an executable with malware. Note that file...

MAL-2025-6549 Malicious code in memtools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fafb3bba871c43e80681f3c9f4618ec7547fe2295b120eb93adf31a59bf021f3 Installing the package triggers a code that looks like downloading a picture, but in fact downloads and starts an executable with malware. Note that file...

MAL-2025-6614 Malicious code in vramx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 62a5bfc96a523ea6df6a2539bea5f16b48800c1896ef7fb2df344ed0486e6a49 Installing the package triggers a code that looks like downloading a picture, but in fact downloads and starts an executable with malware. Note that file...

MAL-2025-6538 Malicious code in logghelper (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2a5f0848002e1727d885bdf20c39e4949fd9609a4df5164a8c42ccc870aa6736 Code attempts to download and run malware, as well as keeps ability to execute files sent via Telegram C2 channel --- Category: MALICIOUS - The campaign has...

MAL-2025-6527 Malicious code in iscc-flag (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 cb80cd1cd16dd0ba2beb2e560000380b1eb3cb60d947ed49d5ce9bfb4b12008f Installing starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-07-anku2-rce Reasons...

MAL-2025-6432 Malicious code in anku1-rce (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 49fbe573576f7a8b2de883e6b11d60e3df40ffb8db7d62ba7f5d76a06ef4900c Installing starts a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-07-anku2-rce Reasons...

MAL-2025-6487 Malicious code in crto0 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8bdcf6d997fa4676ca2da647171f21e944f9b7d0f34010e6ea8da42364a2d03d Importing the module starts downloading or decrypting, and then executing an executable being a wide recognized malware/Infostealer Redline family --- Category...

MAL-2025-5847 Malicious code in vtk-osmesa (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 910e787804512eabe1c118f5347fed9f57ca936717e18a80d26622108d75399e During the installation, sensitive information are exfiltrated incl. env variables --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2025-193014 Malicious code in cas-base (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 69eb341218878aebdec66eb5a44391314921fe3c7fb387021d0684bbb91913b3 The package contains code to install remotely stored malware and ensure its persistence. The code is not triggered automatically; it requires a separate trigge...

MAL-2025-6492 Malicious code in dbnodeindicator (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0ca31ed82ece767a66ae60f44cfb3e36aa54f84e952217e36376f6519ac1f777 Code download and executes a remote script. At the time of analysis, the remote code just runs a notepad - as so classified as a pentest/research. --- Category...

MAL-2025-6522 Malicious code in httppack (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d66d0c3948eb48c93a56872d2a149edfcc65ae57178e7d7a51405ef755880939 Packages that might be part of testing for pentesting / malicious activity / joy, with suspicious activity that does not present any real harm. --- Category:...

Malicious code in package-346234294 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c9741d027897445cdd34a40de0f592a42641170b88a9cbab6cee3dbaaeeedb39 Packages that might be part of testing for pentesting / malicious activity / joy, with suspicious activity that does not present any real harm. --- Category:...

MAL-2025-5837 Malicious code in test-package-avinav (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 db665678ac908b6f9aa76ef069759ebd70b62c901a6f840b765ba7cac299c423 During installation, a heavily obfuscated code is executed. Exact behaviour unclear --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2025-6513 Malicious code in gramapi (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 2c3452393093f1f74c19a9049b50fb9c96e9b31ef8235cf0597eb656e6feb8ea The code is automatically starting, calling a Telegram channel with basic info, and waits for remote code to execute --- Category: MALICIOUS - The campaign has...

MAL-2025-6569 Malicious code in puregram (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7bd190edcbb3734a8578c4e0c5dbd9655bc59613d53e67bfd04b3604cf1aa328 The code is automatically starting, calling a Telegram channel with basic info, and waits for remote code to execute --- Category: MALICIOUS - The campaign has...

MAL-2025-6610 Malicious code in tronpyapi (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3937a7f13d0db04c75985a870ed1eec73aaaff23ce5c45d9fcb64a239576cfc7 Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...