-= Per source details. Do not edit below this line.=-
Packages silently decrypt content hidden in a dependency and load them as Python extension modules.
In the first wave, those are copies of legitimate aiohttp and aiohappyeyeballs packages. In the second wave, malicious packages created good-looking forks of legitimate rich and pigments packages.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-10-asynhttp
Reasons (based on the campaign):
typosquatting
exfiltration-generic
obfuscation
clones-real-package
native-extension
{
"malicious-packages-origins": [
{
"versions": [
"0.1.0",
"1.0.0",
"1.1.0",
"1.1.1"
],
"id": "RLMA-2025-05634",
"modified_time": "2025-12-01T12:54:58Z",
"import_time": "2025-12-02T09:09:39.301719659Z",
"sha256": "036fba5a603820dcef3d116881967e5b16752ba12ab9defa82108ea1b9d5d74e",
"source": "reversing-labs"
},
{
"versions": [
"1.1.1",
"1.1.0",
"1.0.0",
"0.1.0"
],
"id": "pypi/2025-10-asynhttp/richx",
"modified_time": "2025-10-31T13:39:17.445422Z",
"import_time": "2025-12-02T22:30:55.547645725Z",
"sha256": "4c0132f75e4f988478a217acec24062b5e1fd4db594160f82753587abf21e54f",
"source": "kam193"
},
{
"versions": [
"1.1.1",
"1.1.0",
"1.0.0",
"0.1.0"
],
"id": "pypi/2025-10-asynhttp/richx",
"modified_time": "2025-10-31T13:39:17.445422Z",
"import_time": "2025-12-02T23:07:18.58710634Z",
"sha256": "69bf6a25eb1113fcd3fb44186249000b57a995656da40d198f084fcb2fd2525b",
"source": "kam193"
},
{
"versions": [
"1.1.1",
"1.1.0",
"1.0.0",
"0.1.0"
],
"id": "pypi/2025-10-asynhttp/richx",
"modified_time": "2025-10-31T13:39:17.445422Z",
"import_time": "2025-12-10T18:45:05.211505292Z",
"sha256": "924fa9cf3bc0754ab76a7b5960deb5b7295f4f0f3270cc5724214bdd7d543675",
"source": "kam193"
},
{
"versions": [
"0.1.0",
"1.0.0",
"1.1.0",
"1.1.1"
],
"id": "pypi/2025-10-asynhttp/richx",
"modified_time": "2025-10-31T13:39:17.445422Z",
"import_time": "2025-12-30T22:39:04.164939126Z",
"sha256": "76a88a6f9ca106cdb5e71308ced90231e0319ebe14428736d0848d0191815a56",
"source": "kam193"
},
{
"id": "RLUA-2026-00723",
"modified_time": "2026-03-18T12:18:23Z",
"import_time": "2026-03-19T12:20:24.179350395Z",
"sha256": "8b61bfdcf618edfa504103905add2cb1f4b6438931611f93a8a3ac4c6b2da9e3",
"source": "reversing-labs"
}
]
}