MAL-2025-191945

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zsender/MAL-2025-191945.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-191945

Published

2025-04-20T12:05:56Z

Modified

2025-12-12T20:41:30.670871Z

Summary

Malicious code in zsender (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (64454f4348553cc0321094cffaef685d8977dd95ccf1c07dc54e2b8b3c39a8f0)

Campaign is split into multiple packages that altogether exfiltrates data from desktop Telegram application.

"pyapiepo" is a cover package that provides some useless features BUT also imports "zscaner"
"zscaner", when imported, automatically runs a function that is an entry point to the whole process; it uses the "scan" from "reqinstall" to walk through directories. The package also provides main logic: filtering files, triggering archiving directories and exfiltrating them.
"reqinstall" ensures "requests" are installed and provides a directory tree scanning function.
"zmaker" provides functions to build archives from collected files.
"zsender" provides functions to exfiltrate data, the remote URL and a function to deobfuscate configuration in other packages.

Altogether, they look for "Telegram Desktop" folder, archive user data stored there and exfiltrate to a remote location.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-04-zscaner

Reasons (based on the campaign):

target:telegram
exfiltration-generic
The malicious code is intentionally included in a dependency of the package

Database specific

{
    "iocs": {
        "ips": [
            "77.91.76.45"
        ],
        "urls": [
            "http://77.91.76.45:100/OPEN"
        ]
    },
    "malicious-packages-origins": [
        {
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "pypi/2025-04-zscaner/zsender",
            "sha256": "bbea3884909fc4de5c28947d3ddee545fc4922cc2881a678ed50536a7be365cf",
            "source": "kam193",
            "modified_time": "2025-04-20T12:05:56Z",
            "import_time": "2025-12-02T22:30:55.798963796Z"
        },
        {
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "pypi/2025-04-zscaner/zsender",
            "sha256": "64454f4348553cc0321094cffaef685d8977dd95ccf1c07dc54e2b8b3c39a8f0",
            "source": "kam193",
            "modified_time": "2025-04-20T12:05:56Z",
            "import_time": "2025-12-02T23:07:18.842422547Z"
        },
        {
            "id": "pypi/2025-04-zscaner/zsender",
            "sha256": "d5772de1da404ef7501981ed6bffd40608f3942ba75abb398feab77aa6c350eb",
            "source": "kam193",
            "versions": [
                "1.2.7"
            ],
            "modified_time": "2025-04-20T12:05:56Z",
            "import_time": "2025-12-10T21:38:58.005503987Z"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/zsender

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / zsender

Package

Name: zsender; View open source insights on deps.dev
Purl: pkg:pypi/zsender

Affected ranges

Affected versions

1.*

1.2.7

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zsender/MAL-2025-191945.json"