MAL-2025-192958
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/smtmlib/MAL-2025-192958.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2025-192958
- Published
- 2025-12-29T10:04:23Z
- Modified
- 2025-12-29T11:22:18.710033Z
- Summary
- Malicious code in smtmlib (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (e871336d0effe99cb62efeda3a287186e75c1bd4ca5770efd81718db8ababe4e)
Malicious copy of a standard library module that during class initialization downloads and executes remote code and after that attempts to cover its tracks by overwriting itself with non-malicious code. The remote code aims to collect and exfiltrate sensitive Telegram session files.
This campaign shares infrastructure and basic methods with previous 2025-11-uzip campaign.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-12-smtblib
Reasons (based on the campaign):
Downloads and executes a remote malicious script.
infostealer
target:telegram
exfiltration-credentials
action-hidden-in-lib-usage
covering-tracks
clones-real-package
typosquatting
- Database specific
{ "malicious-packages-origins": [ { "id": "pypi/2025-12-smtblib/smtmlib", "source": "kam193", "import_time": "2025-12-29T11:07:13.547036865Z", "sha256": "e871336d0effe99cb62efeda3a287186e75c1bd4ca5770efd81718db8ababe4e", "versions": [ "0.1.6", "0.1.7" ], "modified_time": "2025-12-29T10:08:51.60566Z" } ], "iocs": { "urls": [ "http://87.120.107.132:3301/reactor", "http://87.120.107.132:1488/drill", "http://87.120.107.132:1488/drip", "http://87.120.107.132:1488/key" ], "ips": [ "87.120.107.132" ] } }- References
- Credits
-
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / smtmlib
Package
- Name
- smtmlib
- View open source insights on deps.dev
- Purl
- pkg:pypi/smtmlib