MAL-2025-191689
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/backtradingbot/MAL-2025-191689.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2025-191689
- Published
- 2025-07-31T08:37:38Z
- Modified
- 2025-12-31T02:52:30.867971Z
- Summary
- Malicious code in backtradingbot (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (117c24f5b7a0f5e4921e4478231a717ecca01748a5b266d8984e619f06173984)
Running the installed entry point downloads and executes remote code. During the analysis, the code was switching to websockets, adding a startup script and downloading next stages, which finally looked for browser and crypto wallet data. Currently, they seem not to attempt exfiltration of very sensitive data but rather a presence of different webbrowsers and wallets.
It uses the same remote domain as campaign 2025-07-db-indicator, but significantly different payload.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-07-backtradingbot
Reasons (based on the campaign):
Downloads and executes a remote malicious script.
peristence-autorun
exfiltration-browser-data
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
crypto-related
- Database specific
{ "iocs": { "domains": [ "etherjs.pro" ], "urls": [ "https://api.etherjs.pro/sockets?type=2", "https://api.etherjs.pro/sockets?type=2&cid=ft" ] }, "malicious-packages-origins": [ { "source": "kam193", "modified_time": "2025-07-31T08:37:38.895634Z", "sha256": "e6ba5a032a0d73af329025dde0405bd7f1847f95e6cc19af6a7fb1c448874738", "id": "pypi/2025-07-backtradingbot/backtradingbot", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-12-02T22:30:54.966139974Z" }, { "source": "kam193", "modified_time": "2025-07-31T08:37:38.895634Z", "sha256": "117c24f5b7a0f5e4921e4478231a717ecca01748a5b266d8984e619f06173984", "id": "pypi/2025-07-backtradingbot/backtradingbot", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "import_time": "2025-12-02T23:07:18.003966867Z" }, { "versions": [ "0.1.2", "0.1.1", "0.1.3", "0.1.4", "0.1.5" ], "modified_time": "2025-07-31T08:37:38.895634Z", "sha256": "ce3087733438f472d2652f1c18c089932f54dbe353e966b440fe57c30f6a7c75", "id": "pypi/2025-07-backtradingbot/backtradingbot", "source": "kam193", "import_time": "2025-12-10T21:38:57.305501438Z" }, { "versions": [ "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5" ], "modified_time": "2025-07-31T08:37:38.895634Z", "sha256": "5d66cb7e375b65f749267ca86c38fc16c318851ec20c7cfdf351f98339720fc5", "id": "pypi/2025-07-backtradingbot/backtradingbot", "source": "kam193", "import_time": "2025-12-30T22:39:04.046648871Z" } ] }- References
- Credits
-
-
- Kamil Mańkowski (kam193)
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / backtradingbot
Package
- Name
- backtradingbot
- View open source insights on deps.dev
- Purl
- pkg:pypi/backtradingbot