MAL-2025-191617

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/aiohttp-openssl/MAL-2025-191617.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191617

Published

2025-10-24T08:30:46Z

Modified

2026-03-19T12:49:58.523503Z

Summary

Malicious code in aiohttp-openssl (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (67b219a81e6b2dd7db78b4b223da914ee7baefd0ab056940d3af0bc3b47846a0)

Packages silently decrypt content hidden in a dependency and load them as Python extension modules.

In the first wave, those are copies of legitimate aiohttp and aiohappyeyeballs packages. In the second wave, malicious packages created good-looking forks of legitimate rich and pigments packages.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-10-asynhttp

Reasons (based on the campaign):

typosquatting
exfiltration-generic
obfuscation
clones-real-package
native-extension

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-12-01T12:54:01Z",
            "versions": [
                "3.13.1"
            ],
            "sha256": "35d37db96c51b64ae5d8de5ae993f0f59b34cd5ccdde92a279efff2e85cd8a55",
            "id": "RLMA-2025-05584",
            "source": "reversing-labs",
            "import_time": "2025-12-02T09:09:35.879503319Z"
        },
        {
            "modified_time": "2025-10-24T08:30:46.46558Z",
            "versions": [
                "3.13.1"
            ],
            "sha256": "92f57455ebf461496d8be2499befaa79fe9c3a837220453d86a83e066deed343",
            "id": "pypi/2025-10-asynhttp/aiohttp-openssl",
            "source": "kam193",
            "import_time": "2025-12-02T22:30:54.890597897Z"
        },
        {
            "modified_time": "2025-10-24T08:30:46.46558Z",
            "versions": [
                "3.13.1"
            ],
            "sha256": "c043876b5e096c7a7871643bcb7f9a6c41f5b561e57792478e86fe68eb7452ce",
            "id": "pypi/2025-10-asynhttp/aiohttp-openssl",
            "source": "kam193",
            "import_time": "2025-12-02T23:07:17.934504723Z"
        },
        {
            "modified_time": "2025-10-24T08:30:46.46558Z",
            "versions": [
                "3.13.1"
            ],
            "sha256": "67b219a81e6b2dd7db78b4b223da914ee7baefd0ab056940d3af0bc3b47846a0",
            "id": "pypi/2025-10-asynhttp/aiohttp-openssl",
            "source": "kam193",
            "import_time": "2025-12-10T18:45:05.205088296Z"
        },
        {
            "modified_time": "2026-03-18T12:10:48Z",
            "sha256": "694360ba724d11336471a4a39de2f3bc4e2c7870492b44d48c14fcb8a08b0a8f",
            "id": "RLUA-2026-00043",
            "source": "reversing-labs",
            "import_time": "2026-03-19T12:19:20.775061291Z"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / aiohttp-openssl

Package

Name: aiohttp-openssl; View open source insights on deps.dev
Purl: pkg:pypi/aiohttp-openssl

Affected ranges

Affected versions

3.*

3.13.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/aiohttp-openssl/MAL-2025-191617.json"