MAL-2025-191778

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kraken123/MAL-2025-191778.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191778

Published

2025-08-29T12:14:53Z

Modified

2025-12-31T02:54:32.672175Z

Summary

Malicious code in kraken123 (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (dc2f76a61af953726f4fc219f725013ce8b477860b47433b7fc0444994ffcfd5)

As even described, the package contains a malicious code collecting large amount of data. The description suggests educational use, yet, the code can cause real harm. Specifically, the C2 servers defined in the package seems to be selected as trusted domains that would ignore the data sent. However, among them is at least one domain available for sale at the time of analysis - opening the room for collecting data by the uploader.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-kraken-virus

Reasons (based on the campaign):

malware
exfiltration-browser-data
exfiltration-generic

Database specific

{
    "iocs": {
        "domains": [
            "azure-monitor.org"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "pypi/2025-08-kraken-virus/kraken123",
            "import_time": "2025-12-02T22:30:55.302837354Z",
            "sha256": "36e96c988702835bbe57867c03f8066e0013c4ba0387b75a40240be6053cee9a",
            "source": "kam193",
            "modified_time": "2025-09-14T20:50:28.662413Z",
            "versions": [
                "0.4.0",
                "0.3.0",
                "0.2.0",
                "0.1.0",
                "0.5.0"
            ]
        },
        {
            "id": "pypi/2025-08-kraken-virus/kraken123",
            "import_time": "2025-12-02T23:07:18.328373481Z",
            "sha256": "dc2f76a61af953726f4fc219f725013ce8b477860b47433b7fc0444994ffcfd5",
            "source": "kam193",
            "modified_time": "2025-09-14T20:50:28.662413Z",
            "versions": [
                "0.4.0",
                "0.3.0",
                "0.2.0",
                "0.1.0",
                "0.5.0"
            ]
        },
        {
            "id": "pypi/2025-08-kraken-virus/kraken123",
            "import_time": "2025-12-30T22:39:04.11603588Z",
            "sha256": "743144de203d6ca5d29a26cc27d8ebbde60e11e94756cc327b3fc92e8bba2495",
            "source": "kam193",
            "modified_time": "2025-09-14T20:50:28.662413Z",
            "versions": [
                "0.1.0",
                "0.2.0",
                "0.3.0",
                "0.4.0",
                "0.5.0"
            ]
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/kraken123

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / kraken123

Package

Name: kraken123; View open source insights on deps.dev
Purl: pkg:pypi/kraken123

Affected ranges

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kraken123/MAL-2025-191778.json"