MAL-2025-191748

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/hancsv/MAL-2025-191748.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191748

Published

2025-06-29T16:56:08Z

Modified

2025-12-12T20:39:56.403278Z

Summary

Malicious code in hancsv (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (bb3fdca931bea8323cd7a8c2578f6d0c0594b3ea1b30df1819830168fe90983b)

Importing the module triggers downloading and executing Powershell script. The script collects information about the host (including e.g. startup applications) and also downloads the next stage executable.

While the package contains a security disclaimer, the behaviour is still malicious and crosses the researching line.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-06-hancsv

Reasons (based on the campaign):

Downloads and executes a remote malicious script.
Downloads and executes a remote executable.
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "ab165fde7f7a8a49c8b7f1e0d96e13a69f04af0e499373cc0925c5fc23c5be96",
            "source": "kam193",
            "modified_time": "2025-06-29T16:56:08Z",
            "id": "pypi/2025-06-hancsv/hancsv",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.234594858Z"
        },
        {
            "sha256": "bb3fdca931bea8323cd7a8c2578f6d0c0594b3ea1b30df1819830168fe90983b",
            "source": "kam193",
            "modified_time": "2025-06-29T16:56:08Z",
            "id": "pypi/2025-06-hancsv/hancsv",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.256333425Z"
        },
        {
            "sha256": "119b3a03641ebbc3e89a0bc40e45b5146b6f61b9523cbcc18216015259f74fa7",
            "source": "kam193",
            "modified_time": "2025-06-29T16:56:08Z",
            "id": "pypi/2025-06-hancsv/hancsv",
            "versions": [
                "1.2"
            ],
            "import_time": "2025-12-10T21:38:57.52010717Z"
        }
    ],
    "iocs": {
        "ips": [
            "13.125.103.41"
        ],
        "urls": [
            "http://13.125.103.41:8000/download?f=exe",
            "http://13.125.103.41:8000/download?f=powershell",
            "http://13.125.103.41:8000/report"
        ]
    }
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / hancsv

Package

Name: hancsv; View open source insights on deps.dev
Purl: pkg:pypi/hancsv

Affected ranges

Affected versions

1.*

1.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/hancsv/MAL-2025-191748.json"