MAL-2024-11533

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/asyncmodules/MAL-2024-11533.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2024-11533
Published
2024-08-29T10:57:16Z
Modified
2026-03-19T12:50:30.609784Z
Summary
Malicious code in asyncmodules (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (4089e0f824ae366e1e3e128e2213a6700d6bddea0b9209fd426148a0792edd53)

In the invokehttp, the init.py contains obfuscated code attempting to download and run one of two executables. They are identified as malicious by VT and the tracks of Telegram URLs suggests attempting data exfiltration. The package itself looks like a copy of requests. In flophttp, using exactly the same obfuscation method, the infostealer is directly embeded into package code and exfiltrates data to a telegram channel.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-08-invokehttp

Reasons (based on the campaign):

  • infostealer

  • Downloads and executes a remote executable.

  • obfuscation

  • clones-real-package

Database specific 
{
    "iocs": {
        "urls": [
            "https://github.com/user-attachments/files/16791956/marshal.txt",
            "https://github.com/user-attachments/files/16791996/trezznor.txt"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "b2c1183899f718bc785b55c78cfac2b90945b16a7a16af8cd74677a89484dfd3",
            "import_time": "2024-12-09T14:38:41.00070959Z",
            "modified_time": "2024-12-09T06:49:49Z",
            "versions": [
                "2.3.5"
            ],
            "id": "RLMA-2024-10977",
            "source": "reversing-labs"
        },
        {
            "sha256": "f584355fc4dd04444c8436f9e8458c3112198801fd43940322942c3005c7d255",
            "import_time": "2025-12-02T22:30:54.952800094Z",
            "modified_time": "2024-08-29T10:57:16Z",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "pypi/2024-08-invokehttp/asyncmodules",
            "source": "kam193"
        },
        {
            "sha256": "4089e0f824ae366e1e3e128e2213a6700d6bddea0b9209fd426148a0792edd53",
            "import_time": "2025-12-02T23:07:17.992607272Z",
            "modified_time": "2024-08-29T10:57:16Z",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "pypi/2024-08-invokehttp/asyncmodules",
            "source": "kam193"
        },
        {
            "sha256": "249cd96039a8f96f9bc8cb3a16afb5018ab0bf82cc769fcb02de8decc7a89bc8",
            "import_time": "2025-12-10T21:38:57.298207471Z",
            "modified_time": "2024-08-29T10:57:16Z",
            "versions": [
                "2.3.5"
            ],
            "id": "pypi/2024-08-invokehttp/asyncmodules",
            "source": "kam193"
        },
        {
            "sha256": "b23c4b7bcffa6ce87e0442939063b4cd987455a2670617876eb6e4c5192e8a5f",
            "import_time": "2026-03-19T12:19:24.63427324Z",
            "modified_time": "2026-03-18T12:11:19Z",
            "id": "RLUA-2026-00091",
            "source": "reversing-labs"
        }
    ]
}
References
Credits

Affected packages

PyPI / asyncmodules

Package

Name
asyncmodules
View open source insights on deps.dev
Purl
pkg:pypi/asyncmodules

Affected ranges

Affected versions

2.*
2.3.5

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/asyncmodules/MAL-2024-11533.json"