-= Per source details. Do not edit below this line.=-
The package contains the same code to deobfuscate code as in previous packages, but the malicious code itself is missing
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-02-coinanalyze
Reasons (based on the campaign):
backdoor
typosquatting
obfuscation
clones-real-package
crypto-related
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
{
"iocs": {
"domains": [
"wonderchristmas.store",
"netupdates.info"
],
"urls": [
"https://wonderchristmas.store/jupdate.php",
"http://netupdates.info/board/board.php"
]
},
"malicious-packages-origins": [
{
"versions": [
"1.0.1"
],
"id": "pypi/2025-02-coinanalyze/kingwork-test",
"modified_time": "2025-10-29T22:18:38.759615Z",
"import_time": "2025-12-02T22:30:55.300618306Z",
"sha256": "85dcde9dc669afc77b0fed0db742a0c5ca62c49ad686ce2657f3581b6319c4ed",
"source": "kam193"
},
{
"versions": [
"1.0.1"
],
"id": "pypi/2025-02-coinanalyze/kingwork-test",
"modified_time": "2025-10-29T22:18:38.759615Z",
"import_time": "2025-12-02T23:07:18.325704412Z",
"sha256": "5f5651b094b6f22f4f79f533c24bb398eb10ed340bfccdcdc75fa5dcfc98b8bf",
"source": "kam193"
}
]
}