MAL-2025-191944

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zscaner/MAL-2025-191944.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191944

Published

2025-04-20T12:05:56Z

Modified

2025-12-12T20:41:29.156305Z

Summary

Malicious code in zscaner (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (ee09d48ac6f9e7d0460c2a2bc7c9aaae013ce04ac342eb164683b214616e56d1)

Campaign is split into multiple packages that altogether exfiltrates data from desktop Telegram application.

"pyapiepo" is a cover package that provides some useless features BUT also imports "zscaner"
"zscaner", when imported, automatically runs a function that is an entry point to the whole process; it uses the "scan" from "reqinstall" to walk through directories. The package also provides main logic: filtering files, triggering archiving directories and exfiltrating them.
"reqinstall" ensures "requests" are installed and provides a directory tree scanning function.
"zmaker" provides functions to build archives from collected files.
"zsender" provides functions to exfiltrate data, the remote URL and a function to deobfuscate configuration in other packages.

Altogether, they look for "Telegram Desktop" folder, archive user data stored there and exfiltrate to a remote location.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-04-zscaner

Reasons (based on the campaign):

target:telegram
exfiltration-generic
The malicious code is intentionally included in a dependency of the package

Database specific

{
    "iocs": {
        "urls": [
            "http://77.91.76.45:100/OPEN"
        ],
        "ips": [
            "77.91.76.45"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "kam193",
            "modified_time": "2025-04-20T12:05:56Z",
            "sha256": "6668043ae2bc7032a11a782861883035f06c1553fa9a8b2f1ed9f2214c2683de",
            "id": "pypi/2025-04-zscaner/zscaner",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.79750499Z"
        },
        {
            "source": "kam193",
            "modified_time": "2025-04-20T12:05:56Z",
            "sha256": "ee09d48ac6f9e7d0460c2a2bc7c9aaae013ce04ac342eb164683b214616e56d1",
            "id": "pypi/2025-04-zscaner/zscaner",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.84137537Z"
        },
        {
            "versions": [
                "1.2.0",
                "1.3.0"
            ],
            "modified_time": "2025-04-20T12:05:56Z",
            "sha256": "6f576cbb5c69265f66e820606e885aa1c9edc89fae12046bb3a7c29cca43eee8",
            "id": "pypi/2025-04-zscaner/zscaner",
            "source": "kam193",
            "import_time": "2025-12-10T21:38:58.004351118Z"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/zscaner

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / zscaner

Package

Name: zscaner; View open source insights on deps.dev
Purl: pkg:pypi/zscaner

Affected ranges

Affected versions

1.*

1.2.0

1.3.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zscaner/MAL-2025-191944.json"