MAL-2025-191619

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/asynhttp/MAL-2025-191619.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191619
Published
2025-10-22T12:41:46Z
Modified
2026-03-19T12:50:31.838789Z
Summary
Malicious code in asynhttp (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (058c3bab076ccb770a3ecaefbdb301df88bd935a79f154cdeb329c51c4a1eef5)

Packages silently decrypt content hidden in a dependency and load them as Python extension modules.

In the first wave, those are copies of legitimate aiohttp and aiohappyeyeballs packages. In the second wave, malicious packages created good-looking forks of legitimate rich and pigments packages.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-10-asynhttp

Reasons (based on the campaign):

  • typosquatting

  • exfiltration-generic

  • obfuscation

  • clones-real-package

  • native-extension

Database specific 
{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.13.1"
            ],
            "modified_time": "2025-12-01T12:54:04Z",
            "sha256": "27f648a30d77874cfffeb97c2052d67485ed66da94f30db8cf52415393a89ca0",
            "id": "RLMA-2025-05586",
            "source": "reversing-labs",
            "import_time": "2025-12-02T09:09:36.062448856Z"
        },
        {
            "versions": [
                "3.13.1"
            ],
            "modified_time": "2025-10-22T12:41:46.169521Z",
            "sha256": "649f3bd8674eef95a14f9f389db5a8900362ba5f5f18381ffaa885a43395db8a",
            "id": "pypi/2025-10-asynhttp/asynhttp",
            "source": "kam193",
            "import_time": "2025-12-02T22:30:54.954400918Z"
        },
        {
            "versions": [
                "3.13.1"
            ],
            "modified_time": "2025-10-22T12:41:46.169521Z",
            "sha256": "2c5f91525485110943474c187077da4ab6ef21e3209e4d6e7abf1007321cf1cd",
            "id": "pypi/2025-10-asynhttp/asynhttp",
            "source": "kam193",
            "import_time": "2025-12-02T23:07:17.994367438Z"
        },
        {
            "versions": [
                "3.13.1"
            ],
            "modified_time": "2025-10-22T12:41:46.169521Z",
            "sha256": "058c3bab076ccb770a3ecaefbdb301df88bd935a79f154cdeb329c51c4a1eef5",
            "id": "pypi/2025-10-asynhttp/asynhttp",
            "source": "kam193",
            "import_time": "2025-12-10T18:45:05.206746196Z"
        },
        {
            "modified_time": "2026-03-18T12:11:20Z",
            "sha256": "d26ba778d37d3f66388d7a6df9468b6b43847d3f998df59716fb385da9a84fc1",
            "id": "RLUA-2026-00093",
            "source": "reversing-labs",
            "import_time": "2026-03-19T12:19:24.824047024Z"
        }
    ]
}
References
Credits

Affected packages

PyPI / asynhttp

Package

Name
asynhttp
View open source insights on deps.dev
Purl
pkg:pypi/asynhttp

Affected ranges

Affected versions

3.*
3.13.1

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/asynhttp/MAL-2025-191619.json"