-= Per source details. Do not edit below this line.=-
Clone of Telethon package that exfiltrates credentials. See client/telegrambaseclient.py L608-626 (exfiltration function) and client/auth.py L163 (usage).
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-04-fastgram
Reasons (based on the campaign):
clones-real-package
action-hidden-in-lib-usage
exfiltration-generic
{
"iocs": {
"domains": [
"a1091388.xsph.ru",
"a1124634.xsph.ru"
]
},
"malicious-packages-origins": [
{
"id": "pypi/2025-04-fastgram/ultrafasttelethon",
"modified_time": "2025-04-04T12:54:50Z",
"import_time": "2025-12-02T22:30:55.689812488Z",
"sha256": "2f2335d63eb797b5edb8c95d3c5c088e72acab99487bbea8294706207e379ad0",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"id": "pypi/2025-04-fastgram/ultrafasttelethon",
"modified_time": "2025-04-04T12:54:50Z",
"import_time": "2025-12-02T23:07:18.736046313Z",
"sha256": "73a960b0cd2d21f8bde61f22f956a4c2a02ccddd9e1277eef23d3d8e0406cba4",
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "kam193"
},
{
"versions": [
"1.39.0",
"1.39.0.1",
"1.39.0.2",
"1.39.0.3"
],
"id": "pypi/2025-04-fastgram/ultrafasttelethon",
"modified_time": "2025-04-04T12:54:50Z",
"import_time": "2025-12-10T21:38:57.908035501Z",
"sha256": "29602e2cd7f36a4d478bdcd0bb75c12f7c61a35d253b73bd36f9a1e6975adab2",
"source": "kam193"
}
]
}