-= Per source details. Do not edit below this line.=-
Already during the installation, the file with slightly obfuscated code is loaded and starts exfiltrating information about the host. It especially targets information about additional indexes configured for pip. Data is exfiltrated using DNS queries
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-03-conn-utils
Reasons (based on the campaign):
exfiltration-generic
obfuscation
{
"iocs": {
"domains": [
"m.yubitusoft.com",
"yubitusoft.com"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2025-03-conn-utils/conn-utils",
"modified_time": "2025-03-27T22:55:06Z",
"import_time": "2025-12-02T22:30:55.070016463Z",
"sha256": "9415738fe47d6605e14842900c93f6fe33a33bceb754c53c8f95d48d5b1bbdc8",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"id": "pypi/2025-03-conn-utils/conn-utils",
"modified_time": "2025-03-27T22:55:06Z",
"import_time": "2025-12-02T23:07:18.080388106Z",
"sha256": "25be0eaa51dd4c4ba03afd81b4cfad938ceb07dacb0195a9179b46413178e086",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"versions": [
"1.6.10",
"1.6.11"
],
"id": "pypi/2025-03-conn-utils/conn-utils",
"modified_time": "2025-03-27T22:55:06Z",
"import_time": "2025-12-10T21:38:57.373243874Z",
"sha256": "35c56d8161b2bd9aa98bd665b045ba4007e48af10d1bfd9b9925abf0afa5a330",
"source": "kam193"
}
]
}