-= Per source details. Do not edit below this line.=-
It's a clone of "loguru" package which on import loads a second-stage script from loguru[.]guru. This makes a few checks and downloads the next stage, which is a code obfuscated with PyArmor with unclear behaviour.
The way the malicious code has been embedded could be called a "sophisticated" threat. The code is in the _logger.py in two places: the payload in L2242 as a long string constraint of only whitespaces, which are then transformed into bits and bytes, and later compiled and executed using "types.FunctionType" during initialisation of Core class.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-07-loquru
Reasons (based on the campaign):
typosquatting
obfuscation
clones-real-package
Downloads and executes a remote malicious script.
{
"iocs": {
"domains": [
"loguru.guru"
],
"urls": [
"https://loguru.guru/version/is_match_revision",
"https://loguru.guru/version/code"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2025-07-loquru/loquru",
"modified_time": "2025-08-01T13:47:41.367157Z",
"import_time": "2025-12-02T22:30:55.317137131Z",
"sha256": "641cc2cb716a258c01b21b9d995e1352779eecf22663d8101ac7e946d362d96b",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"id": "pypi/2025-07-loquru/loquru",
"modified_time": "2025-08-01T13:47:41.367157Z",
"import_time": "2025-12-02T23:07:18.343821479Z",
"sha256": "a98209ec0f506986521ebd7b24de4f266f6bb61aba50f2dc511c391f1037848b",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"versions": [
"0.7.3"
],
"id": "pypi/2025-07-loquru/loquru",
"modified_time": "2025-08-01T13:47:41.367157Z",
"import_time": "2025-12-10T21:38:57.577061693Z",
"sha256": "45d6403aae40fb99fdee2c26853d75d2c1616fccb919fb8b28988ec5d535bada",
"source": "kam193"
}
]
}