MAL-2025-191706

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/conn-utils/MAL-2025-191706.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191706
Published
2025-03-27T22:55:06Z
Modified
2025-12-12T20:34:36.162638Z
Summary
Malicious code in conn-utils (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (25be0eaa51dd4c4ba03afd81b4cfad938ceb07dacb0195a9179b46413178e086)

Already during the installation, the file with slightly obfuscated code is loaded and starts exfiltrating information about the host. It especially targets information about additional indexes configured for pip. Data is exfiltrated using DNS queries


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-03-conn-utils

Reasons (based on the campaign):

  • exfiltration-generic

  • obfuscation

Database specific
{
    "iocs": {
        "domains": [
            "m.yubitusoft.com",
            "yubitusoft.com"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2025-03-conn-utils/conn-utils",
            "modified_time": "2025-03-27T22:55:06Z",
            "import_time": "2025-12-02T22:30:55.070016463Z",
            "sha256": "9415738fe47d6605e14842900c93f6fe33a33bceb754c53c8f95d48d5b1bbdc8",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "id": "pypi/2025-03-conn-utils/conn-utils",
            "modified_time": "2025-03-27T22:55:06Z",
            "import_time": "2025-12-02T23:07:18.080388106Z",
            "sha256": "25be0eaa51dd4c4ba03afd81b4cfad938ceb07dacb0195a9179b46413178e086",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "versions": [
                "1.6.10",
                "1.6.11"
            ],
            "id": "pypi/2025-03-conn-utils/conn-utils",
            "modified_time": "2025-03-27T22:55:06Z",
            "import_time": "2025-12-10T21:38:57.373243874Z",
            "sha256": "35c56d8161b2bd9aa98bd665b045ba4007e48af10d1bfd9b9925abf0afa5a330",
            "source": "kam193"
        }
    ]
}
References
Credits

Affected packages

PyPI / conn-utils

Package

Affected ranges

Affected versions

1.*
1.6.10
1.6.11

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/conn-utils/MAL-2025-191706.json"