MAL-2025-191831

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyapiepo/MAL-2025-191831.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191831

Published

2025-04-20T12:05:56Z

Modified

2025-12-12T20:41:51.625318Z

Summary

Malicious code in pyapiepo (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (69aee56f4c3bce704bc65574959aee0226417e4d6a6e05e662d6fa235c12815f)

Campaign is split into multiple packages that altogether exfiltrates data from desktop Telegram application.

"pyapiepo" is a cover package that provides some useless features BUT also imports "zscaner"
"zscaner", when imported, automatically runs a function that is an entry point to the whole process; it uses the "scan" from "reqinstall" to walk through directories. The package also provides main logic: filtering files, triggering archiving directories and exfiltrating them.
"reqinstall" ensures "requests" are installed and provides a directory tree scanning function.
"zmaker" provides functions to build archives from collected files.
"zsender" provides functions to exfiltrate data, the remote URL and a function to deobfuscate configuration in other packages.

Altogether, they look for "Telegram Desktop" folder, archive user data stored there and exfiltrate to a remote location.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-04-zscaner

Reasons (based on the campaign):

target:telegram
exfiltration-generic
The malicious code is intentionally included in a dependency of the package

Database specific

{
    "iocs": {
        "ips": [
            "77.91.76.45"
        ],
        "urls": [
            "http://77.91.76.45:100/OPEN"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "kam193",
            "id": "pypi/2025-04-zscaner/pyapiepo",
            "modified_time": "2025-04-20T12:05:56Z",
            "sha256": "b29c2c9b9ba064e002d8d77000ff7ea091ffdd8cb20355476ecf008fcab4766f",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.453982471Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-04-zscaner/pyapiepo",
            "modified_time": "2025-04-20T12:05:56Z",
            "sha256": "69aee56f4c3bce704bc65574959aee0226417e4d6a6e05e662d6fa235c12815f",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.477571542Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-04-zscaner/pyapiepo",
            "modified_time": "2025-04-20T12:05:56Z",
            "sha256": "f66b9fdcb71d13b13fcc00fd2b09163d7c92bb0067ca45bb2110e99d28a5b753",
            "versions": [
                "1.1.3",
                "1.1.4"
            ],
            "import_time": "2025-12-10T21:38:57.693936936Z"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/pyapiepo

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / pyapiepo

Package

Name: pyapiepo; View open source insights on deps.dev
Purl: pkg:pypi/pyapiepo

Affected ranges

Affected versions

1.*

1.1.3

1.1.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyapiepo/MAL-2025-191831.json"