MAL-2025-191723

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fastertelethon/MAL-2025-191723.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191723
Published
2025-04-04T12:54:50Z
Modified
2025-12-31T02:53:38.317005Z
Summary
Malicious code in fastertelethon (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (3ccfc281c2541df7e1354e6de8c64624fdc75dcc229d33962b171b0a95087edf)

Clone of Telethon package that exfiltrates credentials. See client/telegrambaseclient.py L608-626 (exfiltration function) and client/auth.py L163 (usage).


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-04-fastgram

Reasons (based on the campaign):

  • clones-real-package

  • action-hidden-in-lib-usage

  • exfiltration-generic

Database specific
{
    "iocs": {
        "domains": [
            "a1091388.xsph.ru",
            "a1124634.xsph.ru"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2025-04-fastgram/fastertelethon",
            "modified_time": "2025-04-04T12:54:50Z",
            "import_time": "2025-12-02T22:30:55.18520753Z",
            "sha256": "b24babfe443100b225270a7cc7bff07ed10e39121be0694653ec59a91ef88a3b",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "id": "pypi/2025-04-fastgram/fastertelethon",
            "modified_time": "2025-04-04T12:54:50Z",
            "import_time": "2025-12-02T23:07:18.193739151Z",
            "sha256": "3ccfc281c2541df7e1354e6de8c64624fdc75dcc229d33962b171b0a95087edf",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "versions": [
                "1.0.5",
                "1.0.0"
            ],
            "id": "pypi/2025-04-fastgram/fastertelethon",
            "modified_time": "2025-04-04T12:54:50Z",
            "import_time": "2025-12-10T21:38:57.478070426Z",
            "sha256": "ca8244ca6a84b757f58716bc8bb3a219e381ba136bb9c637d29fc549f928cef6",
            "source": "kam193"
        },
        {
            "versions": [
                "1.0.0",
                "1.0.5"
            ],
            "id": "pypi/2025-04-fastgram/fastertelethon",
            "modified_time": "2025-04-04T12:54:50Z",
            "import_time": "2025-12-30T22:39:04.081852736Z",
            "sha256": "8ab64081fd1ef60d3b7ca9424cbe8653e1b3716d9fc8bb721919501ccef08714",
            "source": "kam193"
        }
    ]
}
References
Credits

Affected packages

PyPI / fastertelethon

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.5

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fastertelethon/MAL-2025-191723.json"