-= Per source details. Do not edit below this line.=-
Campaign is split into multiple packages that altogether exfiltrates data from desktop Telegram application.
Altogether, they look for "Telegram Desktop" folder, archive user data stored there and exfiltrate to a remote location.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-04-zscaner
Reasons (based on the campaign):
target:telegram
exfiltration-generic
The malicious code is intentionally included in a dependency of the package
{
"malicious-packages-origins": [
{
"sha256": "cc08fc76d6faec922ae26ff6b70f2b10cfade2e5225d2fe36d35425bd98ed4dd",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"modified_time": "2025-04-20T12:05:56Z",
"source": "kam193",
"id": "pypi/2025-04-zscaner/zmaker",
"import_time": "2025-12-02T22:30:55.796516603Z"
},
{
"sha256": "2f4ac88a121488df2fdfa1cb5409f3443f658a30d679f20acc41dd2c656bd3b8",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"modified_time": "2025-04-20T12:05:56Z",
"source": "kam193",
"id": "pypi/2025-04-zscaner/zmaker",
"import_time": "2025-12-02T23:07:18.840307374Z"
},
{
"versions": [
"1.0.3",
"1.0.4"
],
"sha256": "62a2a2dff55d2a7df65a09c7d1154fe6fed0c304d25654de24d3640d367607e6",
"modified_time": "2025-04-20T12:05:56Z",
"source": "kam193",
"id": "pypi/2025-04-zscaner/zmaker",
"import_time": "2025-12-10T21:38:58.003278769Z"
}
],
"iocs": {
"ips": [
"77.91.76.45"
],
"urls": [
"http://77.91.76.45:100/OPEN"
]
}
}