-= Per source details. Do not edit below this line.=-
This package is malicious and typosquating the legitimate pyspellchecker library. This package will deploy a remote-access trojan that allows the attacker full control of the victim's host.
Package contains hidden code that is effectively run during importing and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for next code to execute
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-11-spellcheckers
Reasons (based on the campaign):
obfuscation
Downloads and executes a remote malicious script.
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
{
"malicious-packages-origins": [
{
"modified_time": "2025-12-01T23:33:02Z",
"source": "google-open-source-security",
"import_time": "2025-12-01T23:34:06.5476Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4.0"
],
"sha256": "c83520810b148ec74e509b16851a1fafa1bec576b502a5debabd9b52520d9754"
},
{
"modified_time": "2025-11-16T11:08:23.442224Z",
"source": "kam193",
"import_time": "2025-12-02T22:30:55.605835156Z",
"id": "pypi/2025-11-spellcheckers/spellcheckers",
"versions": [
"1.3.0",
"1.2.0",
"1.1.1",
"1.1.0",
"1.0.0",
"1.4.0",
"1.5.0"
],
"sha256": "be6181a6e093f3690fb5ea437000e85951c02043f8e9c04d51129adf65e1ba47"
},
{
"modified_time": "2025-11-16T11:08:23.442224Z",
"source": "kam193",
"import_time": "2025-12-02T23:07:18.645484236Z",
"id": "pypi/2025-11-spellcheckers/spellcheckers",
"versions": [
"1.3.0",
"1.2.0",
"1.1.1",
"1.1.0",
"1.0.0",
"1.4.0",
"1.5.0"
],
"sha256": "6585d4c29dd97a1e46f30047c7d67a6e4bbb19f9b41bc1f9ff0b5fc34b839c75"
},
{
"modified_time": "2025-11-16T11:08:23.442224Z",
"source": "kam193",
"import_time": "2025-12-30T22:39:04.182445231Z",
"id": "pypi/2025-11-spellcheckers/spellcheckers",
"versions": [
"1.0.0",
"1.1.0",
"1.1.1",
"1.2.0",
"1.3.0",
"1.4.0",
"1.5.0"
],
"sha256": "f1480b0a527a5822a51a4c61b868fd8f3adbcf1d117e98fb5c3cd776a1a8dd0d"
},
{
"modified_time": "2025-11-16T11:08:23.442224Z",
"source": "kam193",
"import_time": "2026-01-20T19:58:56.112127491Z",
"id": "pypi/2025-11-spellcheckers/spellcheckers",
"versions": [
"1.0.0",
"1.1.0",
"1.1.1",
"1.2.0",
"1.3.0",
"1.4.0",
"1.5.0"
],
"sha256": "079f275754257ece01048207316e48f31bf7b67b5374a442eaf430c29c0e324e"
},
{
"modified_time": "2025-11-16T11:08:23.442224Z",
"source": "kam193",
"import_time": "2026-01-27T18:48:13.387191363Z",
"id": "pypi/2025-11-spellcheckers/spellcheckers",
"versions": [
"1.0.0",
"1.1.0",
"1.1.1",
"1.2.0",
"1.3.0",
"1.4.0",
"1.5.0"
],
"sha256": "c08a71d4505792aedda6306cf827fe3bae40ffc887922bd1869dc08c27bd18ff"
},
{
"modified_time": "2025-11-16T11:08:23.442224Z",
"source": "kam193",
"import_time": "2026-01-28T19:11:43.698471065Z",
"id": "pypi/2025-11-spellcheckers/spellcheckers",
"versions": [
"1.0.0",
"1.1.0",
"1.1.1",
"1.2.0",
"1.3.0",
"1.4.0",
"1.5.0"
],
"sha256": "38fcddbdb282b32cfe5f0ec1a7d026f8247e88fc164d34ecdda8d53294ec37f2"
},
{
"modified_time": "2025-11-16T11:08:23.442224Z",
"source": "kam193",
"import_time": "2026-03-11T10:47:48.524348202Z",
"id": "pypi/2025-11-spellcheckers/spellcheckers",
"versions": [
"1.0.0",
"1.1.0",
"1.1.1",
"1.2.0",
"1.3.0",
"1.4.0",
"1.5.0"
],
"sha256": "94d56ad51850af2cd423312c4fd3ff9b1bacf1a84684cde7998740e91aa80dd3"
}
],
"iocs": {
"urls": [
"dothebest.store/allow/inform.php",
"dothebest.store/refresh.php"
],
"domains": [
"dothebest.store"
]
}
}