-= Per source details. Do not edit below this line.=-
Packages silently decrypt content hidden in a dependency and load them as Python extension modules.
In the first wave, those are copies of legitimate aiohttp and aiohappyeyeballs packages. In the second wave, malicious packages created good-looking forks of legitimate rich and pigments packages.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-10-asynhttp
Reasons (based on the campaign):
typosquatting
exfiltration-generic
obfuscation
clones-real-package
native-extension
{
"malicious-packages-origins": [
{
"versions": [
"3.13.1"
],
"id": "RLMA-2025-05601",
"modified_time": "2025-12-01T12:54:25Z",
"import_time": "2025-12-02T09:09:37.155313986Z",
"sha256": "b844fd19cd54946f87975380d6567c6735c58e57248053c3c49c403d58617553",
"source": "reversing-labs"
},
{
"versions": [
"3.14.0"
],
"id": "pypi/2025-10-asynhttp/httpserver-cache",
"modified_time": "2025-10-27T12:59:04.890586Z",
"import_time": "2025-12-02T22:30:55.257088844Z",
"sha256": "b6d14c1a0634b7c0ebef204b42090ed65d5b0246f29b8707d35794830096fdea",
"source": "kam193"
},
{
"versions": [
"3.14.0"
],
"id": "pypi/2025-10-asynhttp/httpserver-cache",
"modified_time": "2025-10-27T12:59:04.890586Z",
"import_time": "2025-12-02T23:07:18.280198918Z",
"sha256": "e7a215e207f060c3cd06c2ca78ad57787473b5a9509572b34c4e0fd873bc1a85",
"source": "kam193"
},
{
"versions": [
"3.14.0"
],
"id": "pypi/2025-10-asynhttp/httpserver-cache",
"modified_time": "2025-10-27T12:59:04.890586Z",
"import_time": "2025-12-10T18:45:05.208391814Z",
"sha256": "f48fad5068e7bfd86223ca6ef2fbf939ae684f2a4ae499f15f9cbe1e0cd9144d",
"source": "kam193"
},
{
"id": "RLUA-2026-00400",
"modified_time": "2026-03-18T12:14:45Z",
"import_time": "2026-03-19T12:19:52.73976624Z",
"sha256": "cf6cc2d765cfb74609601f71d8c0fd9b7afe63c6821e1d840b08e3c1fb9f1f0d",
"source": "reversing-labs"
}
]
}