MAL-2025-192956
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cryptozip/MAL-2025-192956.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2025-192956
- Published
- 2025-12-28T19:49:40Z
- Modified
- 2026-02-26T10:12:34.011829Z
- Summary
- Malicious code in cryptozip (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (157ea6b1f1c3d4ed5564c494db770e9156f3e269f12cefec6e4270085a762f26)
During initialization of the archive-support class, the package starts code from another file and downloads multi-stage malware
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-11-uzip
Reasons (based on the campaign):
Downloads and executes a remote executable.
obfuscation
malware
- Database specific
{ "malicious-packages-origins": [ { "sha256": "157ea6b1f1c3d4ed5564c494db770e9156f3e269f12cefec6e4270085a762f26", "source": "kam193", "modified_time": "2025-12-28T19:49:40.330482Z", "id": "pypi/2025-11-uzip/cryptozip", "versions": [ "0.1.0" ], "import_time": "2025-12-28T20:07:59.794259505Z" }, { "sha256": "93ed9c65b2d6e5a305cf48b2028807daca4705f2e5da039d743ff6a2a774fb33", "source": "kam193", "modified_time": "2025-12-28T21:16:30.54622Z", "id": "pypi/2025-11-uzip/cryptozip", "versions": [ "0.1.0", "0.1.1" ], "import_time": "2025-12-28T22:07:28.469425033Z" }, { "sha256": "78fb389eebd3298e7c2a90e54342c6e1d321a83c85c297f01b78c8d34ced1185", "source": "kam193", "modified_time": "2025-12-29T06:53:54.320021Z", "id": "pypi/2025-11-uzip/cryptozip", "versions": [ "0.1.0", "0.1.1", "0.1.2" ], "import_time": "2025-12-29T07:11:30.535032676Z" }, { "sha256": "dbd27f2b5564393737f0c0e22a308a6215b05ee5cc9060fe4695726efa8ae8ea", "source": "kam193", "modified_time": "2025-12-29T12:13:22.251115Z", "id": "pypi/2025-11-uzip/cryptozip", "versions": [ "0.1.0", "0.1.1", "0.1.2", "0.1.4", "0.1.3" ], "import_time": "2025-12-29T13:19:02.41467091Z" }, { "sha256": "7a913c42577c1aac9993c7b98f5da58e0045b002d9c7c6d5a8a5c65069297cb9", "source": "kam193", "modified_time": "2025-12-29T12:13:22.251115Z", "id": "pypi/2025-11-uzip/cryptozip", "versions": [ "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4" ], "import_time": "2025-12-30T22:39:04.064849802Z" }, { "sha256": "1dbddd2e65a8e772bc476861ebaa45b3f105f6a42d5f45dde643905aef6020c4", "source": "kam193", "modified_time": "2025-12-29T12:13:22.251115Z", "id": "pypi/2025-11-uzip/cryptozip", "versions": [ "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4" ], "import_time": "2026-02-26T09:49:02.307090452Z" } ], "iocs": { "ips": [ "77.105.161.164", "87.120.107.132" ], "urls": [ "http://77.105.161.164:3301/library", "http://77.105.161.164:3301/die1", "http://87.120.107.132:1488/df" ] } }- References
-
- https://www.virustotal.com/gui/file-analysis/MGEwNWE0MzhlMTU3NTUxZTU1OGI4NTRkYTA2MWMxM2M6MTc2MzgzMDEyNA==
- https://www.virustotal.com/gui/file/8808a0a09c0180afe742f0265f8b42bf671bc2083dcecd47c1515f52554200d9/detection
- https://bad-packages.kam193.eu/pypi/package/cryptozip
- https://www.getsafety.com/blog-posts/extrazip-malware-campaign
- Credits
-
-
- Kamil MaĆkowski (kam193) - REPORTER
-
Affected packages
PyPI / cryptozip
Package
- Name
- cryptozip
- View open source insights on deps.dev
- Purl
- pkg:pypi/cryptozip