MAL-2025-191861

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/s3transfer-sl/MAL-2025-191861.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191861

Published

2025-04-23T10:32:24Z

Modified

2025-12-31T02:56:47.851609Z

Summary

Malicious code in s3transfer-sl (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (e1cc7c88223c47e4c3ceecc6fe73d05c1cbb505061a009f8ae5caf37086a2e09)

During installation, the package attempts to exfiltrate env variables and tokens from Azure metadata API. It's a malicious clon of s3transfer

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-04-s3transfer-sl

Reasons (based on the campaign):

exfiltration-cloud-tokens
clones-real-package
typosquatting

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "5d10e122ebed25fab78cda8e7fd295eac6e3871a3017ccc1d8f0268c7d915569",
            "source": "kam193",
            "import_time": "2025-12-02T22:30:55.560659468Z",
            "modified_time": "2025-04-23T10:32:24Z",
            "id": "pypi/2025-04-s3transfer-sl/s3transfer-sl",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ]
        },
        {
            "sha256": "e1cc7c88223c47e4c3ceecc6fe73d05c1cbb505061a009f8ae5caf37086a2e09",
            "source": "kam193",
            "import_time": "2025-12-02T23:07:18.603489461Z",
            "modified_time": "2025-04-23T10:32:24Z",
            "id": "pypi/2025-04-s3transfer-sl/s3transfer-sl",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ]
        },
        {
            "versions": [
                "0.12.4",
                "0.12.0",
                "0.12.1",
                "0.12.2",
                "0.12.3",
                "0.12.5"
            ],
            "source": "kam193",
            "import_time": "2025-12-10T21:38:57.807060134Z",
            "modified_time": "2025-04-23T10:32:24Z",
            "id": "pypi/2025-04-s3transfer-sl/s3transfer-sl",
            "sha256": "63ac1236be94096dd502d0448ce4360ead8b4d1d7bbe4091e71360b6b47d7f48"
        },
        {
            "versions": [
                "0.12.0",
                "0.12.1",
                "0.12.2",
                "0.12.3",
                "0.12.4",
                "0.12.5"
            ],
            "source": "kam193",
            "import_time": "2025-12-30T22:39:04.17040703Z",
            "modified_time": "2025-04-23T10:32:24Z",
            "id": "pypi/2025-04-s3transfer-sl/s3transfer-sl",
            "sha256": "33513a3f1624f77353ee7b07dbfabcd90173e70d9a81b05972adebaf0f18132c"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/s3transfer-sl

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / s3transfer-sl

Package

Name: s3transfer-sl; View open source insights on deps.dev
Purl: pkg:pypi/s3transfer-sl

Affected ranges

Affected versions

0.*

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/s3transfer-sl/MAL-2025-191861.json"