-= Per source details. Do not edit below this line.=-
Before creating the boto3 client, package exfiltrates user's credentials. In this version, the exfiltrating is masked as connecting to an AWS component. The URL to the component is expected to be hex-encoded. In fact, the related GitHub project uses it as a dependency and sets as the URL the attacker-controlled domain. In this way, the AWS libraries are abused to generate the request to the malicious infrastructure and exfiltrate credentials.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-08-aws-enumerate
Reasons (based on the campaign):
exfiltration-generic
action-hidden-in-lib-usage
exfiltration-credentials
{
"malicious-packages-origins": [
{
"versions": [
"1.0.2",
"1.0.1",
"1.0.0"
],
"sha256": "8d791e3fca589d90934a79ee3a601d20361d83e0420175ddfd9aecc98e1f0fb7",
"modified_time": "2025-11-18T23:47:36.353225Z",
"source": "kam193",
"id": "pypi/2025-08-aws-enumerate/aws-enumerateiam",
"import_time": "2025-12-02T22:30:54.959979014Z"
},
{
"versions": [
"1.0.2",
"1.0.1",
"1.0.0"
],
"sha256": "c108190780b32337fdce8748948935ac4229f0236710653f363b80a95dfbcd17",
"modified_time": "2025-11-18T23:47:36.353225Z",
"source": "kam193",
"id": "pypi/2025-08-aws-enumerate/aws-enumerateiam",
"import_time": "2025-12-02T23:07:18.000475059Z"
},
{
"versions": [
"1.0.0",
"1.0.1",
"1.0.2"
],
"sha256": "932a89b134a2b2fe407fef9cd90fb9ec01363e500140e8747f9428e7bf860c41",
"modified_time": "2025-12-23T08:38:01Z",
"source": "reversing-labs",
"id": "RLMA-2025-06554",
"import_time": "2025-12-24T10:07:30.11401291Z"
},
{
"versions": [
"1.0.0",
"1.0.1",
"1.0.2"
],
"sha256": "1b89c3d77d9a31a8a92f0848e7fc4486ab167e545036a74a76ab7d9500a50a20",
"modified_time": "2025-11-18T23:47:36.353225Z",
"source": "kam193",
"id": "pypi/2025-08-aws-enumerate/aws-enumerateiam",
"import_time": "2025-12-30T22:39:04.044534138Z"
},
{
"sha256": "adc5fcb4d46510080b1f5a44215aa116cd4e4db43c1062ec427b665b682a86ca",
"modified_time": "2026-03-18T12:11:42Z",
"source": "reversing-labs",
"id": "RLUA-2026-00128",
"import_time": "2026-03-19T12:19:27.931717825Z"
}
],
"iocs": {
"urls": [
"https://api.aliyun-sdk-requests.xyz/aws",
"https://github.com/kohlersbtuh15/accesskey_tools"
],
"domains": [
"api.aliyun-sdk-requests.xyz",
"aliyun-sdk-requests.xyz"
]
}
}