-= Per source details. Do not edit below this line.=-
Clone of Telethon package that exfiltrates credentials. See client/telegrambaseclient.py L608-626 (exfiltration function) and client/auth.py L163 (usage).
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-04-fastgram
Reasons (based on the campaign):
clones-real-package
action-hidden-in-lib-usage
exfiltration-generic
{
"iocs": {
"domains": [
"a1091388.xsph.ru",
"a1124634.xsph.ru"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2025-04-fastgram/fastertelethon",
"modified_time": "2025-04-04T12:54:50Z",
"import_time": "2025-12-02T22:30:55.18520753Z",
"sha256": "b24babfe443100b225270a7cc7bff07ed10e39121be0694653ec59a91ef88a3b",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"id": "pypi/2025-04-fastgram/fastertelethon",
"modified_time": "2025-04-04T12:54:50Z",
"import_time": "2025-12-02T23:07:18.193739151Z",
"sha256": "3ccfc281c2541df7e1354e6de8c64624fdc75dcc229d33962b171b0a95087edf",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"versions": [
"1.0.5",
"1.0.0"
],
"id": "pypi/2025-04-fastgram/fastertelethon",
"modified_time": "2025-04-04T12:54:50Z",
"import_time": "2025-12-10T21:38:57.478070426Z",
"sha256": "ca8244ca6a84b757f58716bc8bb3a219e381ba136bb9c637d29fc549f928cef6",
"source": "kam193"
},
{
"versions": [
"1.0.0",
"1.0.5"
],
"id": "pypi/2025-04-fastgram/fastertelethon",
"modified_time": "2025-04-04T12:54:50Z",
"import_time": "2025-12-30T22:39:04.081852736Z",
"sha256": "8ab64081fd1ef60d3b7ca9424cbe8653e1b3716d9fc8bb721919501ccef08714",
"source": "kam193"
}
]
}