-= Per source details. Do not edit below this line.=-
Clone of Telethon package that exfiltrates credentials. See client/telegrambaseclient.py L608-626 (exfiltration function) and client/auth.py L163 (usage).
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-04-fastgram
Reasons (based on the campaign):
clones-real-package
action-hidden-in-lib-usage
exfiltration-generic
{
"malicious-packages-origins": [
{
"sha256": "02bb29c9a5fde0b97aee82db7bed5ddc340092a8b5ebdba1a5dcf4c83e74001f",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"modified_time": "2025-04-04T12:54:50Z",
"source": "kam193",
"id": "pypi/2025-04-fastgram/fastgram",
"import_time": "2025-12-02T22:30:55.186110197Z"
},
{
"sha256": "bbc47050a01cdb07bbf87c6a6f47028545200c85d553a4952b686a705a6d7d3c",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"modified_time": "2025-04-04T12:54:50Z",
"source": "kam193",
"id": "pypi/2025-04-fastgram/fastgram",
"import_time": "2025-12-02T23:07:18.194566194Z"
},
{
"versions": [
"1.0.0"
],
"sha256": "3841e1d28a332584c8d90360cb9c7c6c3a7a0229b9e1618c43158408598dd365",
"modified_time": "2025-04-04T12:54:50Z",
"source": "kam193",
"id": "pypi/2025-04-fastgram/fastgram",
"import_time": "2025-12-10T21:38:57.479038772Z"
}
],
"iocs": {
"domains": [
"a1091388.xsph.ru",
"a1124634.xsph.ru"
]
}
}