MAL-2024-12320

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/osint-tool/MAL-2024-12320.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2024-12320
Published
2024-10-02T07:55:07Z
Modified
2025-12-31T02:56:05.349380Z
Summary
Malicious code in osint-tool (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (10a834a37294b0f3aaf52345444f8c5c2a15dde780c8342446c53ecc05d623c0)

osint packages promise to be OSINT tool, however, when providing the username to search for, the package attempts to exfiltrate Discord tokens from the user.

The original package suggests being a library for Discord exfiltration, what is suspicious on its own, but in addition, the entry point located in main.py exfiltrate local Discord tokens to a hardcoded webhook.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-09-discord-token-lib

Reasons (based on the campaign):

  • exfiltration-generic

  • action-hidden-in-lib-usage

Database specific
{
    "iocs": {
        "urls": [
            "https://discord.com/api/webhooks/1271645951026659339/wWCSAlPG3TuhycH7ex6h9O48nKdFn4G55WUk4-lgay4RQTpCbbt-DYuo9jLIHYEReQKj"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2024-09-discord-token-lib/osint-tool",
            "modified_time": "2024-10-02T07:55:07Z",
            "import_time": "2025-12-02T22:30:55.415941911Z",
            "sha256": "0d5c4163ca79428423dab39798608ee8cc3f01459134f4ebaaa304b7707bd43e",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "id": "pypi/2024-09-discord-token-lib/osint-tool",
            "modified_time": "2024-10-02T07:55:07Z",
            "import_time": "2025-12-02T23:07:18.444513372Z",
            "sha256": "10a834a37294b0f3aaf52345444f8c5c2a15dde780c8342446c53ecc05d623c0",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "versions": [
                "0.1",
                "0.2",
                "0.5",
                "0.4"
            ],
            "id": "pypi/2024-09-discord-token-lib/osint-tool",
            "modified_time": "2024-10-02T07:55:07Z",
            "import_time": "2025-12-10T21:38:57.662970187Z",
            "sha256": "021db96fc63001447434cd54e4264a624c68527ba98de376627ee718e26f52ce",
            "source": "kam193"
        },
        {
            "versions": [
                "0.1",
                "0.2",
                "0.4",
                "0.5"
            ],
            "id": "pypi/2024-09-discord-token-lib/osint-tool",
            "modified_time": "2024-10-02T07:55:07Z",
            "import_time": "2025-12-30T22:39:04.13721137Z",
            "sha256": "b1826528a64b1a5d346db7a26ccf0ee6de648d2542ea1244040cc644c625ac69",
            "source": "kam193"
        }
    ]
}
References
Credits

Affected packages

PyPI / osint-tool

Package

Affected ranges

Affected versions

0.*
0.1
0.2
0.4
0.5

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/osint-tool/MAL-2024-12320.json"