-= Per source details. Do not edit below this line.=-
Package silently exfiltrates user's credentials ahead of starting the promised functionality. First batch used simple code, the newer attempt to hide functionality by using compiled modules
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-07-prof-quotex
Reasons (based on the campaign):
action-hidden-in-lib-usage
A Telegram webhook is used to send collected data.
exfiltration-credentials
{
"malicious-packages-origins": [
{
"sha256": "2c008fd8741f0aed698d5b2c4799ac047bff1cc1c5a0fc37faaff1248fb113c1",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"modified_time": "2025-07-31T10:00:20.1484Z",
"source": "kam193",
"id": "pypi/2025-07-prof-quotex/prof-tg-gdghho-qu",
"import_time": "2025-12-02T22:30:55.442826277Z"
},
{
"sha256": "6df3141fefe81c96a851af6c8844be2deba7f120c5700fed083ef85087a132b0",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"modified_time": "2025-07-31T10:00:20.1484Z",
"source": "kam193",
"id": "pypi/2025-07-prof-quotex/prof-tg-gdghho-qu",
"import_time": "2025-12-02T23:07:18.465652075Z"
},
{
"versions": [
"0.0.1"
],
"sha256": "98296856c5c09fec72255a4bee01bded436e274913ac54172974bf0ae18dc2d1",
"modified_time": "2025-07-31T10:00:20.1484Z",
"source": "kam193",
"id": "pypi/2025-07-prof-quotex/prof-tg-gdghho-qu",
"import_time": "2025-12-10T21:38:57.680678701Z"
}
]
}