MAL-2025-191869

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/sintok/MAL-2025-191869.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191869

Published

2025-02-18T20:50:57Z

Modified

2025-12-12T20:42:20.057556Z

Summary

Malicious code in sintok (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (7ac54e69b2c1c8f39c9a938ce34d0f0382a0185aa821e4d8e6eaeaac1c456ecb)

Importing the module starts Obfuscated code that downloads a well-recognized malware. In the further variations, the code that download and starts the malicious code is now a little more hidden in the functionality and starts after presenting some allegedly expected activity

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-tiksing

Reasons (based on the campaign):

Downloads and executes a remote executable.
obfuscation
malware

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "6ddaeb59626caa09d1d4be4c1dafe8d10ed4c00cdb30b9b2b25aa0e4201f62e0",
            "source": "kam193",
            "import_time": "2025-12-02T22:30:55.577613964Z",
            "id": "pypi/2025-02-tiksing/sintok",
            "modified_time": "2025-02-18T20:50:57Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ]
        },
        {
            "sha256": "7ac54e69b2c1c8f39c9a938ce34d0f0382a0185aa821e4d8e6eaeaac1c456ecb",
            "source": "kam193",
            "import_time": "2025-12-02T23:07:18.621355587Z",
            "id": "pypi/2025-02-tiksing/sintok",
            "modified_time": "2025-02-18T20:50:57Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ]
        },
        {
            "modified_time": "2025-02-18T20:50:57Z",
            "source": "kam193",
            "import_time": "2025-12-10T21:38:57.818579177Z",
            "id": "pypi/2025-02-tiksing/sintok",
            "versions": [
                "0.0.2"
            ],
            "sha256": "d657cc87578b5eb24af7ca1659a29750b189120554fa29fd92444ea06826b698"
        }
    ],
    "iocs": {
        "ips": [
            "185.118.79.24"
        ],
        "domains": [
            "kuruptd.ink"
        ],
        "urls": [
            "https://kuruptd.ink/fiaegjnkaegjhiageaij0geajb8387r5315gvvassdgvaknldv7at6.php",
            "https://shorturl.at/pL5qZ"
        ]
    }
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / sintok

Package

Name: sintok; View open source insights on deps.dev
Purl: pkg:pypi/sintok

Affected ranges

Affected versions

0.*

0.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/sintok/MAL-2025-191869.json"