MAL-2025-191788

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mcp-runcmd-server/MAL-2025-191788.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191788

Published

2025-10-13T07:46:53Z

Modified

2025-12-31T02:54:57.154385Z

Summary

Malicious code in mcp-runcmd-server (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (2e5608c421ba44a3a2e20b924bd3399d6452dba66e7aea10a0fcdc8044f5a996)

Package starts a reverse shell to a hardcoded location

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-10-mcp-runcommand-server

Reasons (based on the campaign):

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-10-13T07:46:53.502024Z",
            "versions": [
                "2.0",
                "1.0"
            ],
            "sha256": "970f8eef061302ee1741f2441b75587c89ba4c03dc2b8957aa0153487b364022",
            "id": "pypi/2025-10-mcp-runcommand-server/mcp-runcmd-server",
            "source": "kam193",
            "import_time": "2025-12-02T22:30:55.327491552Z"
        },
        {
            "modified_time": "2025-10-13T07:46:53.502024Z",
            "versions": [
                "2.0",
                "1.0"
            ],
            "sha256": "2e5608c421ba44a3a2e20b924bd3399d6452dba66e7aea10a0fcdc8044f5a996",
            "id": "pypi/2025-10-mcp-runcommand-server/mcp-runcmd-server",
            "source": "kam193",
            "import_time": "2025-12-02T23:07:18.35548209Z"
        },
        {
            "modified_time": "2025-10-13T07:46:53.502024Z",
            "versions": [
                "1.0",
                "2.0"
            ],
            "sha256": "22017cb0a5e5e8de99e25dbbd8b3ff3546d3a61d56aec583f6545473ed133194",
            "id": "pypi/2025-10-mcp-runcommand-server/mcp-runcmd-server",
            "source": "kam193",
            "import_time": "2025-12-30T22:39:04.127888455Z"
        }
    ],
    "iocs": {
        "ips": [
            "45.115.38.27"
        ]
    }
}

References

https://bad-packages.kam193.eu/pypi/package/mcp-runcmd-server

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / mcp-runcmd-server

Package

Name: mcp-runcmd-server; View open source insights on deps.dev
Purl: pkg:pypi/mcp-runcmd-server

Affected ranges

Affected versions

1.*

1.0

2.*

2.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mcp-runcmd-server/MAL-2025-191788.json"