MAL-2025-191943

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zmaker/MAL-2025-191943.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-191943
Published
2025-04-20T12:05:56Z
Modified
2025-12-12T20:41:28.676419Z
Summary
Malicious code in zmaker (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (2f4ac88a121488df2fdfa1cb5409f3443f658a30d679f20acc41dd2c656bd3b8)

Campaign is split into multiple packages that altogether exfiltrates data from desktop Telegram application.

  1. "pyapiepo" is a cover package that provides some useless features BUT also imports "zscaner"
  2. "zscaner", when imported, automatically runs a function that is an entry point to the whole process; it uses the "scan" from "reqinstall" to walk through directories. The package also provides main logic: filtering files, triggering archiving directories and exfiltrating them.
  3. "reqinstall" ensures "requests" are installed and provides a directory tree scanning function.
  4. "zmaker" provides functions to build archives from collected files.
  5. "zsender" provides functions to exfiltrate data, the remote URL and a function to deobfuscate configuration in other packages.

Altogether, they look for "Telegram Desktop" folder, archive user data stored there and exfiltrate to a remote location.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-04-zscaner

Reasons (based on the campaign):

  • target:telegram

  • exfiltration-generic

  • The malicious code is intentionally included in a dependency of the package

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "cc08fc76d6faec922ae26ff6b70f2b10cfade2e5225d2fe36d35425bd98ed4dd",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "modified_time": "2025-04-20T12:05:56Z",
            "source": "kam193",
            "id": "pypi/2025-04-zscaner/zmaker",
            "import_time": "2025-12-02T22:30:55.796516603Z"
        },
        {
            "sha256": "2f4ac88a121488df2fdfa1cb5409f3443f658a30d679f20acc41dd2c656bd3b8",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "modified_time": "2025-04-20T12:05:56Z",
            "source": "kam193",
            "id": "pypi/2025-04-zscaner/zmaker",
            "import_time": "2025-12-02T23:07:18.840307374Z"
        },
        {
            "versions": [
                "1.0.3",
                "1.0.4"
            ],
            "sha256": "62a2a2dff55d2a7df65a09c7d1154fe6fed0c304d25654de24d3640d367607e6",
            "modified_time": "2025-04-20T12:05:56Z",
            "source": "kam193",
            "id": "pypi/2025-04-zscaner/zmaker",
            "import_time": "2025-12-10T21:38:58.003278769Z"
        }
    ],
    "iocs": {
        "ips": [
            "77.91.76.45"
        ],
        "urls": [
            "http://77.91.76.45:100/OPEN"
        ]
    }
}
References
Credits

Affected packages

PyPI / zmaker

Package

Affected ranges

Affected versions

1.*
1.0.3
1.0.4

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zmaker/MAL-2025-191943.json"