MAL-2024-11736

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/upllib/MAL-2024-11736.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2024-11736

Published

2024-10-03T16:34:31Z

Modified

2026-03-19T12:57:55.301389Z

Summary

Malicious code in upllib (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (6207428c93f872f851e291726fc7a7384f9226b903c01a5a3f1545f82d66bf0b)

When importing the module and a specific file exists in the current directory, obfuscated code downloads and starts the next stage of obfuscated code (cstealer infostealer)

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-10-pyutiltool

Reasons (based on the campaign):

infostealer
obfuscation
infostealer:cstealer

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "3e2724ad7f14027e907a4cee699360a47bddea1e86c2bd183fe9e1c65298ef74",
            "source": "reversing-labs",
            "modified_time": "2024-12-09T06:51:23Z",
            "id": "RLMA-2024-11197",
            "versions": [
                "1"
            ],
            "import_time": "2024-12-09T14:38:50.333537127Z"
        },
        {
            "sha256": "bb28e3795acba47121f078eb76292875a57d1a1a687f9e41d924c5dfaa000d9b",
            "source": "kam193",
            "modified_time": "2024-10-03T16:34:31Z",
            "id": "pypi/2024-10-pyutiltool/upllib",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.692631747Z"
        },
        {
            "sha256": "6207428c93f872f851e291726fc7a7384f9226b903c01a5a3f1545f82d66bf0b",
            "source": "kam193",
            "modified_time": "2024-10-03T16:34:31Z",
            "id": "pypi/2024-10-pyutiltool/upllib",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.738320985Z"
        },
        {
            "sha256": "250e442532abf631f411adc5b3ce5d10d2d1abdd6ac4538e54df3d08d9acdc81",
            "source": "kam193",
            "modified_time": "2024-10-03T16:34:31Z",
            "id": "pypi/2024-10-pyutiltool/upllib",
            "versions": [
                "1.0"
            ],
            "import_time": "2025-12-10T21:38:57.91066374Z"
        },
        {
            "sha256": "b5fb81e066eacbca3ddd0f9e0df5d283b6bfc8bce9d92559bd284a32123bcb9a",
            "source": "reversing-labs",
            "modified_time": "2026-03-18T12:20:00Z",
            "id": "RLUA-2026-00873",
            "import_time": "2026-03-19T12:20:38.870747134Z"
        }
    ],
    "iocs": {
        "domains": [
            "blockatlaspro.com"
        ],
        "urls": [
            "https://blockatlaspro.com/application.py",
            "https://blockatlaspro.com/test.py"
        ]
    }
}

References

https://bad-packages.kam193.eu/pypi/package/upllib

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / upllib

Package

Name: upllib; View open source insights on deps.dev
Purl: pkg:pypi/upllib

Affected ranges

Affected versions

Other

1.*

1.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/upllib/MAL-2024-11736.json"