MAL-2025-191756 Malicious code in hexdecimal (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c76fe38c65db757a8e7f52d36acea2c85ea223e1342e513c0eb2115b19da7bcb Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...

Malicious code in pygments-richstyle (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a965f61b1e51e6c96a8987633eaf2f23001320e4c6b884c33603230c66798e74 Packages silently decrypt content hidden in a dependency and load them as Python extension modules. In the first wave, those are copies of legitimate aiohttp a...

MAL-2025-191654 Malicious code in pygments-richstyle (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a965f61b1e51e6c96a8987633eaf2f23001320e4c6b884c33603230c66798e74 Packages silently decrypt content hidden in a dependency and load them as Python extension modules. In the first wave, those are copies of legitimate aiohttp a...

Malicious code in richx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 924fa9cf3bc0754ab76a7b5960deb5b7295f4f0f3270cc5724214bdd7d543675 Packages silently decrypt content hidden in a dependency and load them as Python extension modules. In the first wave, those are copies of legitimate aiohttp a...

MAL-2025-191658 Malicious code in richx (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 924fa9cf3bc0754ab76a7b5960deb5b7295f4f0f3270cc5724214bdd7d543675 Packages silently decrypt content hidden in a dependency and load them as Python extension modules. In the first wave, those are copies of legitimate aiohttp a...

Malicious code in speed-testing-nt (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 dcfc1b92868e7f4eef0f4c0e901418a557089fe5269a1e4ef07725d397cddbb3 The package, distinguished as a speed testing or typosquatted Telegram library, contains a Telegram bot to perform remote control of the computer --- Category:...

Malicious code in install-all-setup (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 519885ab1e79055139dd279d8e9bf603b4f1d0c0f3f6d3c90231c934f26bbb60 Package downloads and runs an obfuscated bat file, which executes malicious activity according to VirusTotal results. --- Category: MALICIOUS - The campaign ha...

MAL-2025-191640 Malicious code in install-all-setup (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 519885ab1e79055139dd279d8e9bf603b4f1d0c0f3f6d3c90231c934f26bbb60 Package downloads and runs an obfuscated bat file, which executes malicious activity according to VirusTotal results. --- Category: MALICIOUS - The campaign ha...

Malicious code in aiohappyeyeball (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c4026e5d61b51d8fb2688488995ad95c662a15084e5c4799b0e68d0962291056 Malicious copy of the legit aiohappyeyeballs package, the pycache/staggerd.pyc contains a suspicious binary content which seems not to be a valid PYC ---...

Malicious code in httpserver-cache (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f48fad5068e7bfd86223ca6ef2fbf939ae684f2a4ae499f15f9cbe1e0cd9144d Packages silently decrypt content hidden in a dependency and load them as Python extension modules. In the first wave, those are copies of legitimate aiohttp a...

MAL-2025-191632 Malicious code in httpserver-cache (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f48fad5068e7bfd86223ca6ef2fbf939ae684f2a4ae499f15f9cbe1e0cd9144d Packages silently decrypt content hidden in a dependency and load them as Python extension modules. In the first wave, those are copies of legitimate aiohttp a...

MAL-2025-191622 Malicious code in donotinstall (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a0c56680f6f4db81ec1ad0691253d592055a3581b00e9c93e3dfd6d448b63212 Package contains obfuscated reverse shell. However, it connects with a local IP only, thus it's much more a test than a malicious action --- Category:...

Malicious code in syschecker (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 81ab746bf511a8c6c41c5776e5688c310a5255c65fda0fad65e31b1ed534dc91 Package downloads and runs an obfuscated bat file, which executes malicious activity according to VirusTotal results. --- Category: MALICIOUS - The campaign ha...

MAL-2025-191663 Malicious code in syschecker (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 81ab746bf511a8c6c41c5776e5688c310a5255c65fda0fad65e31b1ed534dc91 Package downloads and runs an obfuscated bat file, which executes malicious activity according to VirusTotal results. --- Category: MALICIOUS - The campaign ha...

MAL-2025-191665 Malicious code in windowsrequir (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8b1e2404307bae09dee3c7fe01e272b488ca2da014d14ad2a740ed76c89634e8 Package downloads and runs an obfuscated bat file, which executes malicious activity according to VirusTotal results. --- Category: MALICIOUS - The campaign ha...

Malicious code in hexdecli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 14b72d96ce6a8700ee188783d301dc5f37cd7182ac8082491a75c582184309e4 Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...

Malicious code in benign-lib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 09477b048d84611002417894ccb3265d246be0156b096a8b47776960d45e9d3d Package hides an executable inside, and starts it when imported. The sandbox analysis shows only starting a calculator, which suggests it's a research attempt...

MAL-2025-191620 Malicious code in benign-lib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 09477b048d84611002417894ccb3265d246be0156b096a8b47776960d45e9d3d Package hides an executable inside, and starts it when imported. The sandbox analysis shows only starting a calculator, which suggests it's a research attempt...

Malicious code in ethaddrlib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 9dc2b3682a4269e98a57e232f473846d94e0c74209349b54e1ccc5c669110c47 Package claims to validate mnemonic, a sensitive part of cryptocurrency system. The responsible functions, however, send given data to a remote service, and no...

Malicious code in aiohttp-openssl (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 67b219a81e6b2dd7db78b4b223da914ee7baefd0ab056940d3af0bc3b47846a0 Packages silently decrypt content hidden in a dependency and load them as Python extension modules. In the first wave, those are copies of legitimate aiohttp a...