MAL-2025-191899

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tiksing/MAL-2025-191899.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191899

Published

2025-02-18T20:50:57Z

Modified

2025-12-12T20:43:26.762537Z

Summary

Malicious code in tiksing (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (ef883e1ad19e5cbeafdda023c535abc9a14f84f81dce26e06d9f10bf77013ab5)

Importing the module starts Obfuscated code that downloads a well-recognized malware. In the further variations, the code that download and starts the malicious code is now a little more hidden in the functionality and starts after presenting some allegedly expected activity

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-tiksing

Reasons (based on the campaign):

Downloads and executes a remote executable.
obfuscation
malware

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-02-18T20:50:57Z",
            "import_time": "2025-12-02T22:30:55.64485212Z",
            "sha256": "3ea76770bdbedf8c54236f3a10f324a15b48c3fe41e42fa60bf82fe8199f496f",
            "source": "kam193",
            "id": "pypi/2025-02-tiksing/tiksing",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ]
        },
        {
            "modified_time": "2025-02-18T20:50:57Z",
            "import_time": "2025-12-02T23:07:18.686901198Z",
            "sha256": "ef883e1ad19e5cbeafdda023c535abc9a14f84f81dce26e06d9f10bf77013ab5",
            "source": "kam193",
            "id": "pypi/2025-02-tiksing/tiksing",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ]
        },
        {
            "modified_time": "2025-02-18T20:50:57Z",
            "import_time": "2025-12-10T21:38:57.871286674Z",
            "versions": [
                "0.0.1",
                "0.0.2"
            ],
            "source": "kam193",
            "id": "pypi/2025-02-tiksing/tiksing",
            "sha256": "ec4bc55e32edab7c31f502f53ae8c5898c5252751182fb43906548e8faf6d9d2"
        }
    ],
    "iocs": {
        "domains": [
            "kuruptd.ink"
        ],
        "ips": [
            "185.118.79.24"
        ],
        "urls": [
            "https://kuruptd.ink/fiaegjnkaegjhiageaij0geajb8387r5315gvvassdgvaknldv7at6.php",
            "https://shorturl.at/pL5qZ"
        ]
    }
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / tiksing

Package

Name: tiksing; View open source insights on deps.dev
Purl: pkg:pypi/tiksing

Affected ranges

Affected versions

0.*

0.0.1

0.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tiksing/MAL-2025-191899.json"