MAL-2025-193013

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tablixs/MAL-2025-193013.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-193013
Published
2026-02-11T10:04:22Z
Modified
2026-03-13T06:51:07.409366Z
Summary
Malicious code in tablixs (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (46731b2531e50115b70ae49abbd4bd1abb55f364a4cc2d8234c749f750883359)

Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for next code to execute


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-11-spellcheckers

Reasons (based on the campaign):

  • obfuscation

  • Downloads and executes a remote malicious script.

  • The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-02-11T10:04:22.215581Z",
            "source": "kam193",
            "import_time": "2026-02-11T10:22:20.671153929Z",
            "id": "pypi/2025-11-spellcheckers/tablixs",
            "versions": [
                "1.0.1"
            ],
            "sha256": "46731b2531e50115b70ae49abbd4bd1abb55f364a4cc2d8234c749f750883359"
        },
        {
            "modified_time": "2026-02-11T10:04:22.215581Z",
            "source": "kam193",
            "import_time": "2026-02-14T18:47:25.013651353Z",
            "id": "pypi/2025-11-spellcheckers/tablixs",
            "versions": [
                "1.0.1"
            ],
            "sha256": "8851d367e7ade8b451fa96330bdf7f2d98b0f32fc0fe2f4de4b2291a8fcc7419"
        },
        {
            "modified_time": "2026-02-11T10:04:22.215581Z",
            "source": "kam193",
            "import_time": "2026-03-11T10:47:48.537008998Z",
            "id": "pypi/2025-11-spellcheckers/tablixs",
            "versions": [
                "1.0.1"
            ],
            "sha256": "0fda761cabb845683bdaac8e11e201636996a50077f283d01b26981499fec9a4"
        }
    ],
    "iocs": {
        "urls": [
            "https://dothebest.store/allow/inform.php",
            "https://dothebest.store/refresh.php",
            "https://searchbox.info/prefer.php",
            "https://updatenet.work/settings/history.php",
            "https://dothebest.store/allow"
        ],
        "domains": [
            "dothebest.store",
            "searchbox.info",
            "updatenet.work"
        ]
    }
}
References
Credits

Affected packages

PyPI / tablixs

Package

Affected ranges

Affected versions

1.*
1.0.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tablixs/MAL-2025-193013.json"