MAL-2025-191774

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kertash/MAL-2025-191774.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191774

Published

2025-08-12T10:29:23Z

Modified

2025-12-31T02:56:06.109218Z

Summary

Malicious code in kertash (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (3cb3ef6da7e0d1c1461bb944c5ff0e356b73e52d271afa9e94435097f1d0764f)

When using methods from the package, it downloads an obfuscated code from Github and puts it in multiple localisation. While it appears that this code is used to perform action user requested, deobfuscation reveals exfiltrating user's data instead.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-kertash

Reasons (based on the campaign):

exfiltration-generic
A Telegram webhook is used to send collected data.
obfuscation
action-hidden-in-lib-usage

Database specific

{
    "iocs": {
        "urls": [
            "https://raw.githubusercontent.com/0xPwnme/kertash/refs/heads/main/kertash.py"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "9186893a63a7ed152a9b7d37d35db076087019315d9ccf5e53b6862fc12fd5a3",
            "id": "pypi/2025-08-kertash/kertash",
            "versions": [
                "0.1.5",
                "0.1.4"
            ],
            "import_time": "2025-12-02T22:30:55.29810541Z",
            "modified_time": "2025-08-12T10:29:23.351674Z",
            "source": "kam193"
        },
        {
            "sha256": "3cb3ef6da7e0d1c1461bb944c5ff0e356b73e52d271afa9e94435097f1d0764f",
            "id": "pypi/2025-08-kertash/kertash",
            "versions": [
                "0.1.5",
                "0.1.4"
            ],
            "import_time": "2025-12-02T23:07:18.323266233Z",
            "modified_time": "2025-08-12T10:29:23.351674Z",
            "source": "kam193"
        },
        {
            "sha256": "562b62099929e8a145015ac5b08bdc0d669a9cd030f8fe524d9e523bdca392c0",
            "id": "pypi/2025-08-kertash/kertash",
            "versions": [
                "0.1.4",
                "0.1.5"
            ],
            "import_time": "2025-12-30T22:39:04.115246658Z",
            "modified_time": "2025-08-12T10:29:23.351674Z",
            "source": "kam193"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/kertash

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / kertash

Package

Name: kertash; View open source insights on deps.dev
Purl: pkg:pypi/kertash

Affected ranges

Affected versions

0.*

0.1.4

0.1.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kertash/MAL-2025-191774.json"