MAL-2024-11564

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crypto-format-checking/MAL-2024-11564.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2024-11564
Published
2024-10-07T22:16:18Z
Modified
2026-03-19T12:52:07.445442Z
Summary
Malicious code in crypto-format-checking (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (a95b535a5d579db23cf10d4a9897278238afb3093600235b1f39ddf2cca74600)

Inside the library there is a part running code hidden in the attached image, which then exfiltrate user-provided data, downloads and install next stage code, exfiltrate TXT files and finally installs infostealers - Lumma and a custom one. Arround L110

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-10-fake-usreagent

Reasons (based on the campaign):

  • infostealer

  • files-exfiltration

  • clipboard-stealing

  • obfuscation

  • clones-real-package

  • action-hidden-in-lib-usage

Database specific 
{
    "iocs": {
        "domains": [
            "ethscanold.com",
            "crypto-api.net"
        ],
        "urls": [
            "https://ethscanold.com/ex_ewq1/2e.exe",
            "https://ethscanold.com/ex_ewq1/cdr2.exe",
            "https://ethscanold.com/r.php"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "reversing-labs",
            "id": "RLMA-2024-11011",
            "modified_time": "2024-12-09T06:50:02Z",
            "sha256": "cb41607036269bb0a1c45971747774c6892126b1c3c80bcfa6a13040a4f95fd9",
            "versions": [
                "1.7.5",
                "1.7.6"
            ],
            "import_time": "2024-12-09T14:38:42.589325747Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2024-10-fake-usreagent/crypto-format-checking",
            "modified_time": "2024-10-07T22:16:18Z",
            "sha256": "a92a8d306075287f4756fade7ae39f19fe83b1819c22fc93a14ac0138ec5c96d",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.079202631Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2024-10-fake-usreagent/crypto-format-checking",
            "modified_time": "2024-10-07T22:16:18Z",
            "sha256": "a95b535a5d579db23cf10d4a9897278238afb3093600235b1f39ddf2cca74600",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.089303872Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2024-10-fake-usreagent/crypto-format-checking",
            "modified_time": "2024-10-07T22:16:18Z",
            "sha256": "267f2f8f9f1deb4e22e65491feb5819438df12068bfc152174d481bdda85e7b0",
            "versions": [
                "1.7.5",
                "1.7.6"
            ],
            "import_time": "2025-12-10T21:38:57.381898607Z"
        },
        {
            "source": "reversing-labs",
            "id": "RLUA-2026-00233",
            "modified_time": "2026-03-18T12:12:55Z",
            "sha256": "0a24b017afcfad583f0d8ef4a8da1bd6234f8d224f4ac254f4789c6e9a28d419",
            "import_time": "2026-03-19T12:19:36.904538584Z"
        }
    ]
}
References
Credits

Affected packages

PyPI / crypto-format-checking

Package

Name
crypto-format-checking
View open source insights on deps.dev
Purl
pkg:pypi/crypto-format-checking

Affected ranges

Affected versions

1.*
1.7.5
1.7.6

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crypto-format-checking/MAL-2024-11564.json"