MAL-2025-191654

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pygments-richstyle/MAL-2025-191654.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191654

Published

2025-10-31T14:08:59Z

Modified

2026-03-19T12:55:51.146387Z

Summary

Malicious code in pygments-richstyle (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (a965f61b1e51e6c96a8987633eaf2f23001320e4c6b884c33603230c66798e74)

Packages silently decrypt content hidden in a dependency and load them as Python extension modules.

In the first wave, those are copies of legitimate aiohttp and aiohappyeyeballs packages. In the second wave, malicious packages created good-looking forks of legitimate rich and pigments packages.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-10-asynhttp

Reasons (based on the campaign):

typosquatting
exfiltration-generic
obfuscation
clones-real-package
native-extension

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "reversing-labs",
            "id": "RLMA-2025-05628",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2025-12-02T09:09:38.934815868Z",
            "sha256": "6b49aa9502d6164b44069711b872ae64859f1ee6c43f5cd65745a3fd13cc5d6f",
            "modified_time": "2025-12-01T12:54:52Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-10-asynhttp/pygments-richstyle",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2025-12-02T22:30:55.466584746Z",
            "sha256": "1a522c8b8020b2bc892dccb2ac852a0a95c0eeb3fc0f94f7e4fff0da98979fa1",
            "modified_time": "2025-10-31T14:08:59.57345Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-10-asynhttp/pygments-richstyle",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2025-12-02T23:07:18.491303985Z",
            "sha256": "ed44cafe4fd7aebba15cdc8a14058888e3071523ae21ea13f827a1b9713033cd",
            "modified_time": "2025-10-31T14:08:59.57345Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-10-asynhttp/pygments-richstyle",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2025-12-10T18:45:05.21065568Z",
            "sha256": "a965f61b1e51e6c96a8987633eaf2f23001320e4c6b884c33603230c66798e74",
            "modified_time": "2025-10-31T14:08:59.57345Z"
        },
        {
            "source": "reversing-labs",
            "id": "RLUA-2026-00634",
            "modified_time": "2026-03-18T12:17:28Z",
            "import_time": "2026-03-19T12:20:15.705507363Z",
            "sha256": "93c92401274f72ed49706fcca3207624059529f6f2e375ce2033a831a85d17e3"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / pygments-richstyle

Package

Name: pygments-richstyle; View open source insights on deps.dev
Purl: pkg:pypi/pygments-richstyle

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pygments-richstyle/MAL-2025-191654.json"