MAL-2025-191658

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/richx/MAL-2025-191658.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191658
Published
2025-10-31T13:39:17Z
Modified
2026-03-19T12:56:37.643196Z
Summary
Malicious code in richx (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (924fa9cf3bc0754ab76a7b5960deb5b7295f4f0f3270cc5724214bdd7d543675)

Packages silently decrypt content hidden in a dependency and load them as Python extension modules.

In the first wave, those are copies of legitimate aiohttp and aiohappyeyeballs packages. In the second wave, malicious packages created good-looking forks of legitimate rich and pigments packages.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-10-asynhttp

Reasons (based on the campaign):

  • typosquatting

  • exfiltration-generic

  • obfuscation

  • clones-real-package

  • native-extension

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1.0",
                "1.0.0",
                "1.1.0",
                "1.1.1"
            ],
            "id": "RLMA-2025-05634",
            "modified_time": "2025-12-01T12:54:58Z",
            "import_time": "2025-12-02T09:09:39.301719659Z",
            "sha256": "036fba5a603820dcef3d116881967e5b16752ba12ab9defa82108ea1b9d5d74e",
            "source": "reversing-labs"
        },
        {
            "versions": [
                "1.1.1",
                "1.1.0",
                "1.0.0",
                "0.1.0"
            ],
            "id": "pypi/2025-10-asynhttp/richx",
            "modified_time": "2025-10-31T13:39:17.445422Z",
            "import_time": "2025-12-02T22:30:55.547645725Z",
            "sha256": "4c0132f75e4f988478a217acec24062b5e1fd4db594160f82753587abf21e54f",
            "source": "kam193"
        },
        {
            "versions": [
                "1.1.1",
                "1.1.0",
                "1.0.0",
                "0.1.0"
            ],
            "id": "pypi/2025-10-asynhttp/richx",
            "modified_time": "2025-10-31T13:39:17.445422Z",
            "import_time": "2025-12-02T23:07:18.58710634Z",
            "sha256": "69bf6a25eb1113fcd3fb44186249000b57a995656da40d198f084fcb2fd2525b",
            "source": "kam193"
        },
        {
            "versions": [
                "1.1.1",
                "1.1.0",
                "1.0.0",
                "0.1.0"
            ],
            "id": "pypi/2025-10-asynhttp/richx",
            "modified_time": "2025-10-31T13:39:17.445422Z",
            "import_time": "2025-12-10T18:45:05.211505292Z",
            "sha256": "924fa9cf3bc0754ab76a7b5960deb5b7295f4f0f3270cc5724214bdd7d543675",
            "source": "kam193"
        },
        {
            "versions": [
                "0.1.0",
                "1.0.0",
                "1.1.0",
                "1.1.1"
            ],
            "id": "pypi/2025-10-asynhttp/richx",
            "modified_time": "2025-10-31T13:39:17.445422Z",
            "import_time": "2025-12-30T22:39:04.164939126Z",
            "sha256": "76a88a6f9ca106cdb5e71308ced90231e0319ebe14428736d0848d0191815a56",
            "source": "kam193"
        },
        {
            "id": "RLUA-2026-00723",
            "modified_time": "2026-03-18T12:18:23Z",
            "import_time": "2026-03-19T12:20:24.179350395Z",
            "sha256": "8b61bfdcf618edfa504103905add2cb1f4b6438931611f93a8a3ac4c6b2da9e3",
            "source": "reversing-labs"
        }
    ]
}
References
Credits

Affected packages

PyPI / richx

Package

Affected ranges

Affected versions

0.*
0.1.0
1.*
1.0.0
1.1.0
1.1.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/richx/MAL-2025-191658.json"