MAL-2025-191903

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/time-server-analyzer/MAL-2025-191903.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191903
Published
2025-02-25T18:18:21Z
Modified
2026-01-30T20:11:18.101138Z
Summary
Malicious code in time-server-analyzer (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (95abdeda4b05cb93bb442d77d1b339498503b1fddb72e3579359f39c5952513b)

This campaign is built from two parts: 1) packages named like time-check-server, snapshot-photo contain an innocent-looking code that sends "date" to a remote server, 2) packages named like alicloud-client are clones of legit aliyun-python-sdk-core package, with a small change in the client.py code, where it imports the time-check-server and calls it, but instead of a date, the credentials to the cloud are exfiltrated. There are also variations with AWS clients

Apparently, the campaign started at least 2 years ago with the snapshot-photo package containing the same functionality as the newer time-check-server (see https://github.com/pypi-data/pypi-mirror-238/blob/code/packages/snapshot-photo/snapshotphoto-0.0.3-py3-none-any.whl/snapshotphoto/date_format.py).


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-alicloud-client

Reasons (based on the campaign):

  • clones-real-package

  • action-hidden-in-lib-usage

  • The malicious code is intentionally included in a dependency of the package

  • exfiltration-cloud-tokens

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "aab02b8f1aa98a69e7c2761b0bc8660e04886ef0a5ba0a7818ae139ec1827010",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "modified_time": "2025-02-25T18:18:21Z",
            "source": "kam193",
            "id": "pypi/2025-02-alicloud-client/time-server-analyzer",
            "import_time": "2025-12-02T22:30:55.64790751Z"
        },
        {
            "sha256": "95abdeda4b05cb93bb442d77d1b339498503b1fddb72e3579359f39c5952513b",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "modified_time": "2025-02-25T18:18:21Z",
            "source": "kam193",
            "id": "pypi/2025-02-alicloud-client/time-server-analyzer",
            "import_time": "2025-12-02T23:07:18.69044296Z"
        },
        {
            "versions": [
                "0.0.1"
            ],
            "sha256": "b8146e88c1a0975f4fef516a10b411f10dd9d474f62b83abb331c773fb4dfee2",
            "modified_time": "2025-02-25T18:18:21Z",
            "source": "kam193",
            "id": "pypi/2025-02-alicloud-client/time-server-analyzer",
            "import_time": "2025-12-10T21:38:57.875341261Z"
        },
        {
            "versions": [
                "0.0.1"
            ],
            "sha256": "c2180252aa10b29ed4ba6b06e80152b041ee9e8e31eceee81cc00d667ea5dfe5",
            "modified_time": "2025-02-25T18:18:21Z",
            "source": "kam193",
            "id": "pypi/2025-02-alicloud-client/time-server-analyzer",
            "import_time": "2026-01-30T19:43:58.391245544Z"
        }
    ],
    "iocs": {
        "urls": [
            "https://api.checktimeserver.org/",
            "https://api.aliyun-sdk-requests.xyz/"
        ],
        "domains": [
            "checktimeserver.org",
            "aliyun-sdk-requests.xyz"
        ]
    }
}
References
Credits

Affected packages

PyPI / time-server-analyzer

Package

Name
time-server-analyzer
View open source insights on deps.dev
Purl
pkg:pypi/time-server-analyzer

Affected ranges

Affected versions

0.*
0.0.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/time-server-analyzer/MAL-2025-191903.json"