MAL-2024-10184

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/utilhttp/MAL-2024-10184.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2024-10184

Published

2024-08-29T10:57:16Z

Modified

2025-12-12T20:43:44.559033Z

Summary

Malicious code in utilhttp (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (f91f83da1ea0307373682776ad3de3a3fd320d57280f40fa82f47aaf316d3062)

In the invokehttp, the init.py contains obfuscated code attempting to download and run one of two executables. They are identified as malicious by VT and the tracks of Telegram URLs suggests attempting data exfiltration. The package itself looks like a copy of requests. In flophttp, using exactly the same obfuscation method, the infostealer is directly embeded into package code and exfiltrates data to a telegram channel.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-08-invokehttp

Reasons (based on the campaign):

infostealer
Downloads and executes a remote executable.
obfuscation
clones-real-package

Database specific

{
    "iocs": {
        "urls": [
            "https://github.com/user-attachments/files/16791956/marshal.txt",
            "https://github.com/user-attachments/files/16791996/trezznor.txt"
        ]
    },
    "malicious-packages-origins": [
        {
            "versions": [
                "2.3.5"
            ],
            "source": "reversing-labs",
            "id": "RLMA-2024-09477",
            "sha256": "9bcd0c5ac08a48be46e8597a96edc9580558d45062cd7fa606bf0281b4509572",
            "modified_time": "2024-10-16T14:53:30Z",
            "import_time": "2024-10-24T00:57:10.494789237Z"
        },
        {
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193",
            "id": "pypi/2024-08-invokehttp/utilhttp",
            "sha256": "746164209a39b4d7dfb5c28b257e79f9fe575dadca5efee038b5f37e008ce34b",
            "modified_time": "2024-08-29T10:57:16Z",
            "import_time": "2025-12-02T22:30:55.697467394Z"
        },
        {
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193",
            "id": "pypi/2024-08-invokehttp/utilhttp",
            "sha256": "f91f83da1ea0307373682776ad3de3a3fd320d57280f40fa82f47aaf316d3062",
            "modified_time": "2024-08-29T10:57:16Z",
            "import_time": "2025-12-02T23:07:18.74254021Z"
        },
        {
            "versions": [
                "2.3.5"
            ],
            "source": "kam193",
            "id": "pypi/2024-08-invokehttp/utilhttp",
            "sha256": "3a85882b21ad755b37c12046cdb9d71a574e2781a5bb6cc7d9ae0d756cb2eae4",
            "modified_time": "2024-08-29T10:57:16Z",
            "import_time": "2025-12-10T21:38:57.917543575Z"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / utilhttp

Package

Name: utilhttp; View open source insights on deps.dev
Purl: pkg:pypi/utilhttp

Affected ranges

Affected versions

2.*

2.3.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/utilhttp/MAL-2024-10184.json"