MAL-2024-11738
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/user-gen-agent-random/MAL-2024-11738.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2024-11738
- Published
- 2024-10-07T22:16:18Z
- Modified
- 2026-03-19T12:57:54.277757Z
- Summary
- Malicious code in user-gen-agent-random (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (22f729ba6b5abecacd2d94214cf0075ac0729fb59d4e9cc1cf6287a2bf6e2ab6)
Inside the library there is a part running code hidden in the attached image, which then exfiltrate user-provided data, downloads and install next stage code, exfiltrate TXT files and finally installs infostealers - Lumma and a custom one. Arround L110
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-10-fake-usreagent
Reasons (based on the campaign):
infostealer
files-exfiltration
clipboard-stealing
obfuscation
clones-real-package
action-hidden-in-lib-usage
- Database specific
{ "iocs": { "urls": [ "https://ethscanold.com/ex_ewq1/2e.exe", "https://ethscanold.com/ex_ewq1/cdr2.exe", "https://ethscanold.com/r.php" ], "domains": [ "ethscanold.com", "crypto-api.net" ] }, "malicious-packages-origins": [ { "id": "RLMA-2024-11199", "import_time": "2024-12-09T14:38:50.496678901Z", "sha256": "d654bb7f8b02092a700d5d50271a1084cbb40675f2b37fbc73a31c1ff0acc700", "source": "reversing-labs", "modified_time": "2024-12-09T06:51:24Z", "versions": [ "1.6.8", "1.6.9", "1.7.0" ] }, { "id": "pypi/2024-10-fake-usreagent/user-gen-agent-random", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-12-02T22:30:55.693601489Z", "sha256": "41554d5e5b4ef559940a404c71e2a4b8fc03c2933fc5a66fd0ac644c6b8ab542", "source": "kam193", "modified_time": "2024-10-07T22:16:18Z" }, { "id": "pypi/2024-10-fake-usreagent/user-gen-agent-random", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-12-02T23:07:18.739346341Z", "sha256": "22f729ba6b5abecacd2d94214cf0075ac0729fb59d4e9cc1cf6287a2bf6e2ab6", "source": "kam193", "modified_time": "2024-10-07T22:16:18Z" }, { "id": "pypi/2024-10-fake-usreagent/user-gen-agent-random", "import_time": "2025-12-10T21:38:57.91338865Z", "sha256": "017b8528e013ac05af3886e43b02de2437efabcc7944fd7cdfe28dfe56b8a0b0", "source": "kam193", "modified_time": "2024-10-07T22:16:18Z", "versions": [ "1.7.0", "1.6.8", "1.6.9" ] }, { "id": "pypi/2024-10-fake-usreagent/user-gen-agent-random", "import_time": "2025-12-30T22:39:04.202542337Z", "sha256": "09f7850df7ff22eaf03f4d6790d4f0ef1a725b058221b417be36173fda6b6a9e", "source": "kam193", "modified_time": "2024-10-07T22:16:18Z", "versions": [ "1.6.8", "1.6.9", "1.7.0" ] }, { "id": "RLUA-2026-00874", "import_time": "2026-03-19T12:20:38.996997997Z", "sha256": "ed29bfc65da02c76aa12dc5a9c13e0aed560f55091bca93be2bb4a5053ab0a9b", "source": "reversing-labs", "modified_time": "2026-03-18T12:20:00Z" } ] }- References
- Credits
-
-
- Kamil Mańkowski (kam193)
-
- Kamil Mańkowski (kam193) - REPORTER
-
- ReversingLabs - FINDER
-
Affected packages
PyPI / user-gen-agent-random
Package
- Name
- user-gen-agent-random
- View open source insights on deps.dev
- Purl
- pkg:pypi/user-gen-agent-random