MAL-2025-191533

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/spellcheckers/MAL-2025-191533.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191533
Published
2025-11-15T18:49:10Z
Modified
2026-03-13T06:52:02.382602Z
Summary
Malicious code in spellcheckers (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: google-open-source-security (c83520810b148ec74e509b16851a1fafa1bec576b502a5debabd9b52520d9754)

This package is malicious and typosquating the legitimate pyspellchecker library. This package will deploy a remote-access trojan that allows the attacker full control of the victim's host.

Source: kam193 (6585d4c29dd97a1e46f30047c7d67a6e4bbb19f9b41bc1f9ff0b5fc34b839c75)

Package contains hidden code that is effectively run during importing and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for next code to execute


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-11-spellcheckers

Reasons (based on the campaign):

  • obfuscation

  • Downloads and executes a remote malicious script.

  • The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-12-01T23:33:02Z",
            "source": "google-open-source-security",
            "import_time": "2025-12-01T23:34:06.5476Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "versions": [
                "1.4.0"
            ],
            "sha256": "c83520810b148ec74e509b16851a1fafa1bec576b502a5debabd9b52520d9754"
        },
        {
            "modified_time": "2025-11-16T11:08:23.442224Z",
            "source": "kam193",
            "import_time": "2025-12-02T22:30:55.605835156Z",
            "id": "pypi/2025-11-spellcheckers/spellcheckers",
            "versions": [
                "1.3.0",
                "1.2.0",
                "1.1.1",
                "1.1.0",
                "1.0.0",
                "1.4.0",
                "1.5.0"
            ],
            "sha256": "be6181a6e093f3690fb5ea437000e85951c02043f8e9c04d51129adf65e1ba47"
        },
        {
            "modified_time": "2025-11-16T11:08:23.442224Z",
            "source": "kam193",
            "import_time": "2025-12-02T23:07:18.645484236Z",
            "id": "pypi/2025-11-spellcheckers/spellcheckers",
            "versions": [
                "1.3.0",
                "1.2.0",
                "1.1.1",
                "1.1.0",
                "1.0.0",
                "1.4.0",
                "1.5.0"
            ],
            "sha256": "6585d4c29dd97a1e46f30047c7d67a6e4bbb19f9b41bc1f9ff0b5fc34b839c75"
        },
        {
            "modified_time": "2025-11-16T11:08:23.442224Z",
            "source": "kam193",
            "import_time": "2025-12-30T22:39:04.182445231Z",
            "id": "pypi/2025-11-spellcheckers/spellcheckers",
            "versions": [
                "1.0.0",
                "1.1.0",
                "1.1.1",
                "1.2.0",
                "1.3.0",
                "1.4.0",
                "1.5.0"
            ],
            "sha256": "f1480b0a527a5822a51a4c61b868fd8f3adbcf1d117e98fb5c3cd776a1a8dd0d"
        },
        {
            "modified_time": "2025-11-16T11:08:23.442224Z",
            "source": "kam193",
            "import_time": "2026-01-20T19:58:56.112127491Z",
            "id": "pypi/2025-11-spellcheckers/spellcheckers",
            "versions": [
                "1.0.0",
                "1.1.0",
                "1.1.1",
                "1.2.0",
                "1.3.0",
                "1.4.0",
                "1.5.0"
            ],
            "sha256": "079f275754257ece01048207316e48f31bf7b67b5374a442eaf430c29c0e324e"
        },
        {
            "modified_time": "2025-11-16T11:08:23.442224Z",
            "source": "kam193",
            "import_time": "2026-01-27T18:48:13.387191363Z",
            "id": "pypi/2025-11-spellcheckers/spellcheckers",
            "versions": [
                "1.0.0",
                "1.1.0",
                "1.1.1",
                "1.2.0",
                "1.3.0",
                "1.4.0",
                "1.5.0"
            ],
            "sha256": "c08a71d4505792aedda6306cf827fe3bae40ffc887922bd1869dc08c27bd18ff"
        },
        {
            "modified_time": "2025-11-16T11:08:23.442224Z",
            "source": "kam193",
            "import_time": "2026-01-28T19:11:43.698471065Z",
            "id": "pypi/2025-11-spellcheckers/spellcheckers",
            "versions": [
                "1.0.0",
                "1.1.0",
                "1.1.1",
                "1.2.0",
                "1.3.0",
                "1.4.0",
                "1.5.0"
            ],
            "sha256": "38fcddbdb282b32cfe5f0ec1a7d026f8247e88fc164d34ecdda8d53294ec37f2"
        },
        {
            "modified_time": "2025-11-16T11:08:23.442224Z",
            "source": "kam193",
            "import_time": "2026-03-11T10:47:48.524348202Z",
            "id": "pypi/2025-11-spellcheckers/spellcheckers",
            "versions": [
                "1.0.0",
                "1.1.0",
                "1.1.1",
                "1.2.0",
                "1.3.0",
                "1.4.0",
                "1.5.0"
            ],
            "sha256": "94d56ad51850af2cd423312c4fd3ff9b1bacf1a84684cde7998740e91aa80dd3"
        }
    ],
    "iocs": {
        "urls": [
            "dothebest.store/allow/inform.php",
            "dothebest.store/refresh.php"
        ],
        "domains": [
            "dothebest.store"
        ]
    }
}
References
Credits

Affected packages

PyPI / spellcheckers

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0
1.1.0
1.1.1
1.2.0
1.3.0
1.4.0
1.5.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/spellcheckers/MAL-2025-191533.json"