MAL-2025-191686

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/aws-enumerateiam/MAL-2025-191686.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191686
Published
2025-11-18T23:47:36Z
Modified
2026-03-19T12:50:54.836351Z
Summary
Malicious code in aws-enumerateiam (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (c108190780b32337fdce8748948935ac4229f0236710653f363b80a95dfbcd17)

Before creating the boto3 client, package exfiltrates user's credentials. In this version, the exfiltrating is masked as connecting to an AWS component. The URL to the component is expected to be hex-encoded. In fact, the related GitHub project uses it as a dependency and sets as the URL the attacker-controlled domain. In this way, the AWS libraries are abused to generate the request to the malicious infrastructure and exfiltrate credentials.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-aws-enumerate

Reasons (based on the campaign):

  • exfiltration-generic

  • action-hidden-in-lib-usage

  • exfiltration-credentials

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.2",
                "1.0.1",
                "1.0.0"
            ],
            "sha256": "8d791e3fca589d90934a79ee3a601d20361d83e0420175ddfd9aecc98e1f0fb7",
            "modified_time": "2025-11-18T23:47:36.353225Z",
            "source": "kam193",
            "id": "pypi/2025-08-aws-enumerate/aws-enumerateiam",
            "import_time": "2025-12-02T22:30:54.959979014Z"
        },
        {
            "versions": [
                "1.0.2",
                "1.0.1",
                "1.0.0"
            ],
            "sha256": "c108190780b32337fdce8748948935ac4229f0236710653f363b80a95dfbcd17",
            "modified_time": "2025-11-18T23:47:36.353225Z",
            "source": "kam193",
            "id": "pypi/2025-08-aws-enumerate/aws-enumerateiam",
            "import_time": "2025-12-02T23:07:18.000475059Z"
        },
        {
            "versions": [
                "1.0.0",
                "1.0.1",
                "1.0.2"
            ],
            "sha256": "932a89b134a2b2fe407fef9cd90fb9ec01363e500140e8747f9428e7bf860c41",
            "modified_time": "2025-12-23T08:38:01Z",
            "source": "reversing-labs",
            "id": "RLMA-2025-06554",
            "import_time": "2025-12-24T10:07:30.11401291Z"
        },
        {
            "versions": [
                "1.0.0",
                "1.0.1",
                "1.0.2"
            ],
            "sha256": "1b89c3d77d9a31a8a92f0848e7fc4486ab167e545036a74a76ab7d9500a50a20",
            "modified_time": "2025-11-18T23:47:36.353225Z",
            "source": "kam193",
            "id": "pypi/2025-08-aws-enumerate/aws-enumerateiam",
            "import_time": "2025-12-30T22:39:04.044534138Z"
        },
        {
            "sha256": "adc5fcb4d46510080b1f5a44215aa116cd4e4db43c1062ec427b665b682a86ca",
            "modified_time": "2026-03-18T12:11:42Z",
            "source": "reversing-labs",
            "id": "RLUA-2026-00128",
            "import_time": "2026-03-19T12:19:27.931717825Z"
        }
    ],
    "iocs": {
        "urls": [
            "https://api.aliyun-sdk-requests.xyz/aws",
            "https://github.com/kohlersbtuh15/accesskey_tools"
        ],
        "domains": [
            "api.aliyun-sdk-requests.xyz",
            "aliyun-sdk-requests.xyz"
        ]
    }
}
References
Credits

Affected packages

PyPI / aws-enumerateiam

Package

Name
aws-enumerateiam
View open source insights on deps.dev
Purl
pkg:pypi/aws-enumerateiam

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/aws-enumerateiam/MAL-2025-191686.json"