MAL-2024-11517
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/agent-user-generate/MAL-2024-11517.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2024-11517
- Published
- 2024-10-07T22:16:18Z
- Modified
- 2026-03-19T12:49:53.502113Z
- Summary
- Malicious code in agent-user-generate (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (514af1dfd929068fabc7527812b99ec6a287c3601d7cf4ed1d29c55e74339fac)
Inside the library there is a part running code hidden in the attached image, which then exfiltrate user-provided data, downloads and install next stage code, exfiltrate TXT files and finally installs infostealers - Lumma and a custom one. Arround L110
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-10-fake-usreagent
Reasons (based on the campaign):
infostealer
files-exfiltration
clipboard-stealing
obfuscation
clones-real-package
action-hidden-in-lib-usage
- Database specific
{ "malicious-packages-origins": [ { "sha256": "a889abb4eadea57db9003ed22341c12187f6d456fac6224fe735a678cd576e9d", "source": "reversing-labs", "modified_time": "2024-12-09T06:49:42Z", "id": "RLMA-2024-10960", "versions": [ "1.6.7" ], "import_time": "2024-12-09T14:38:40.310298367Z" }, { "sha256": "177a51807e8613299d7d6c39332f6b1c0ceb742b4f7e438ede97de877efc65c6", "source": "kam193", "modified_time": "2024-10-07T22:16:18Z", "id": "pypi/2024-10-fake-usreagent/agent-user-generate", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-12-02T22:30:54.886094346Z" }, { "sha256": "514af1dfd929068fabc7527812b99ec6a287c3601d7cf4ed1d29c55e74339fac", "source": "kam193", "modified_time": "2024-10-07T22:16:18Z", "id": "pypi/2024-10-fake-usreagent/agent-user-generate", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-12-02T23:07:17.929054927Z" }, { "sha256": "e581ab4a4b611e076da1c25ad0fb0e77b1c47c5af132617d70184311e7fffd23", "source": "kam193", "modified_time": "2024-10-07T22:16:18Z", "id": "pypi/2024-10-fake-usreagent/agent-user-generate", "versions": [ "1.6.7" ], "import_time": "2025-12-10T21:38:57.239682363Z" }, { "sha256": "029202de1000a3da43e4a8f64421173d0e4ad674efd9ff01e42539fd81031f67", "source": "reversing-labs", "modified_time": "2026-03-18T12:10:44Z", "id": "RLUA-2026-00037", "import_time": "2026-03-19T12:19:20.069050715Z" } ], "iocs": { "domains": [ "ethscanold.com", "crypto-api.net" ], "urls": [ "https://ethscanold.com/ex_ewq1/2e.exe", "https://ethscanold.com/ex_ewq1/cdr2.exe", "https://ethscanold.com/r.php" ] } }- References
- Credits
-
-
- Kamil Mańkowski (kam193)
-
- Kamil Mańkowski (kam193) - REPORTER
-
- ReversingLabs - FINDER
-
Affected packages
PyPI / agent-user-generate
Package
- Name
- agent-user-generate
- View open source insights on deps.dev
- Purl
- pkg:pypi/agent-user-generate