The package contains code to download and execute a reverse shell script.
-= Per source details. Do not edit below this line.=-
When imported, the package download and runs a remote stage - a reverse shell. To mask activity, the remote domain is made to mimic PyPI host: files[.]pythonhosted[.]ru
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-10-innostage
Reasons (based on the campaign):
{
"iocs": {
"domains": [
"files.pythonhosted.ru",
"pythonhosted.ru",
"files.inostage.ru"
],
"urls": [
"http://files.pythonhosted.ru/56788.txt",
"http://files.pythonhosted.ru/56789.txt"
]
},
"malicious-packages-origins": [
{
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"id": "pypi/2024-10-innostage/cyberart",
"source": "kam193",
"import_time": "2025-12-02T22:30:55.084711416Z",
"modified_time": "2024-10-07T13:23:16Z",
"sha256": "e2db5c4e210d50361b0f9e96e0a79ba87d4f034b7ffdaa6d58de674b61e5807c"
},
{
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"id": "pypi/2024-10-innostage/cyberart",
"source": "kam193",
"import_time": "2025-12-02T23:07:18.097797323Z",
"modified_time": "2024-10-07T13:23:16Z",
"sha256": "a56fce758142261d4c665b192e7f292a8b9c89a750be3271fc2e1c784d886828"
},
{
"sha256": "72e27c8c05580e1bbe564da1183f0a35fa7ba54dcd160a641814a6766d4840ea",
"id": "pypi/2024-10-innostage/cyberart",
"source": "kam193",
"import_time": "2025-12-10T21:38:57.387384674Z",
"modified_time": "2024-10-07T13:23:16Z",
"versions": [
"7.0.6"
]
}
]
}