MAL-2025-192690

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/smtrlib/MAL-2025-192690.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-192690
Published
2025-12-22T17:15:11Z
Modified
2026-02-26T10:07:21.722299Z
Summary
Malicious code in smtrlib (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (2c1075f7c4373ccaac9936bfd75a22a27f0c9ba06a5402a68a45fe8121f58783)

Malicious copy of a standard library module that during class initialization downloads and executes remote code and after that attempts to cover its tracks by overwriting itself with non-malicious code. The remote code aims to collect and exfiltrate sensitive Telegram session files.

This campaign shares infrastructure and basic methods with previous 2025-11-uzip campaign.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-12-smtblib

Reasons (based on the campaign):

  • Downloads and executes a remote malicious script.

  • infostealer

  • target:telegram

  • exfiltration-credentials

  • action-hidden-in-lib-usage

  • covering-tracks

  • clones-real-package

  • typosquatting

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1.6",
                "0.1.5"
            ],
            "sha256": "2c1075f7c4373ccaac9936bfd75a22a27f0c9ba06a5402a68a45fe8121f58783",
            "modified_time": "2025-12-22T17:15:11.396277Z",
            "source": "kam193",
            "id": "pypi/2025-12-smtblib/smtrlib",
            "import_time": "2025-12-22T18:09:53.100084416Z"
        },
        {
            "versions": [
                "0.1.6",
                "0.1.5"
            ],
            "sha256": "a2f22b191147cb45609f235f11ad1e22cbddd3ea8fcbc48eae1b924c03c8581a",
            "modified_time": "2025-12-22T17:15:11.396277Z",
            "source": "kam193",
            "id": "pypi/2025-12-smtblib/smtrlib",
            "import_time": "2025-12-29T11:07:13.548559626Z"
        },
        {
            "versions": [
                "0.1.5",
                "0.1.6"
            ],
            "sha256": "9d85a36c2c00ecd57e7e665998fe1ecb407321c3c31d98e236f7cf1d8d382e81",
            "modified_time": "2025-12-22T17:15:11.396277Z",
            "source": "kam193",
            "id": "pypi/2025-12-smtblib/smtrlib",
            "import_time": "2025-12-30T22:39:04.178817796Z"
        },
        {
            "versions": [
                "0.1.5",
                "0.1.6"
            ],
            "sha256": "10033b8781afb1d5ce5c8e963a881098ccc3c451b91eeca2923530156685996e",
            "modified_time": "2025-12-22T17:15:11.396277Z",
            "source": "kam193",
            "id": "pypi/2025-12-smtblib/smtrlib",
            "import_time": "2026-02-26T09:49:02.337211857Z"
        }
    ],
    "iocs": {
        "ips": [
            "87.120.107.132"
        ],
        "urls": [
            "http://87.120.107.132:3301/reactor",
            "http://87.120.107.132:1488/drill",
            "http://87.120.107.132:1488/drip"
        ]
    }
}
References
Credits

Affected packages

PyPI / smtrlib

Package

Affected ranges

Affected versions

0.*
0.1.5
0.1.6

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/smtrlib/MAL-2025-192690.json"