MAL-2024-11657

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pdf2doc/MAL-2024-11657.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2024-11657

Published

2024-09-19T21:35:06Z

Modified

2026-03-19T12:55:18.965992Z

Summary

Malicious code in pdf2doc (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (ae55659200290f97e3d07c41d49af574eb14ad3dc5913535e8d100cf2c48dd58)

During installation, the code attempts to exfiltrate basic data (username, host name) and send to the attacker. The package looks to be a clone of an existing one

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-09-pdf2doc

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
typosquatting
obfuscation
dependency-confusion
The package overrides the install command in setup.py to execute malicious code during installation.
clones-real-package

Database specific

{
    "iocs": {
        "domains": [
            "partywave.site"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "RLMA-2024-11113",
            "modified_time": "2024-12-09T06:50:47Z",
            "versions": [
                "0.3.9"
            ],
            "source": "reversing-labs",
            "import_time": "2024-12-09T14:38:46.841666605Z",
            "sha256": "751b13e0f4628b4af5f5e84a940e967e28655aa6de7ad858e8b73a8a9f0de0b5"
        },
        {
            "id": "pypi/2024-09-pdf2doc/pdf2doc",
            "modified_time": "2024-09-19T21:35:06Z",
            "import_time": "2025-12-02T22:30:55.421699068Z",
            "source": "kam193",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "sha256": "0ff273048f4e4de37731d163191de44bf9c9d5063b6c1326408fd760254ca429"
        },
        {
            "id": "pypi/2024-09-pdf2doc/pdf2doc",
            "modified_time": "2024-09-19T21:35:06Z",
            "import_time": "2025-12-02T23:07:18.450632485Z",
            "source": "kam193",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "sha256": "ae55659200290f97e3d07c41d49af574eb14ad3dc5913535e8d100cf2c48dd58"
        },
        {
            "id": "pypi/2024-09-pdf2doc/pdf2doc",
            "modified_time": "2024-09-19T21:35:06Z",
            "versions": [
                "0.3.9"
            ],
            "source": "kam193",
            "import_time": "2025-12-10T21:38:57.666995652Z",
            "sha256": "30087900c557360b0bdcc4f090bd7a7a55dd9c716d1b79d21845c5f377a56c78"
        },
        {
            "id": "RLUA-2026-00585",
            "modified_time": "2026-03-18T12:16:51Z",
            "import_time": "2026-03-19T12:20:11.542629132Z",
            "source": "reversing-labs",
            "sha256": "6a68ba79922b515822126e889940bafba5b4f6a546ca21de1a829f031e56e48a"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/pdf2doc

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / pdf2doc

Package

Name: pdf2doc; View open source insights on deps.dev
Purl: pkg:pypi/pdf2doc

Affected ranges

Affected versions

0.*

0.3.9

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pdf2doc/MAL-2024-11657.json"