-= Per source details. Do not edit below this line.=-
Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for next code to execute
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-11-spellcheckers
Reasons (based on the campaign):
obfuscation
Downloads and executes a remote malicious script.
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
{
"malicious-packages-origins": [
{
"modified_time": "2026-02-11T10:04:22.215581Z",
"source": "kam193",
"import_time": "2026-02-11T10:22:20.671153929Z",
"id": "pypi/2025-11-spellcheckers/tablixs",
"versions": [
"1.0.1"
],
"sha256": "46731b2531e50115b70ae49abbd4bd1abb55f364a4cc2d8234c749f750883359"
},
{
"modified_time": "2026-02-11T10:04:22.215581Z",
"source": "kam193",
"import_time": "2026-02-14T18:47:25.013651353Z",
"id": "pypi/2025-11-spellcheckers/tablixs",
"versions": [
"1.0.1"
],
"sha256": "8851d367e7ade8b451fa96330bdf7f2d98b0f32fc0fe2f4de4b2291a8fcc7419"
},
{
"modified_time": "2026-02-11T10:04:22.215581Z",
"source": "kam193",
"import_time": "2026-03-11T10:47:48.537008998Z",
"id": "pypi/2025-11-spellcheckers/tablixs",
"versions": [
"1.0.1"
],
"sha256": "0fda761cabb845683bdaac8e11e201636996a50077f283d01b26981499fec9a4"
}
],
"iocs": {
"urls": [
"https://dothebest.store/allow/inform.php",
"https://dothebest.store/refresh.php",
"https://searchbox.info/prefer.php",
"https://updatenet.work/settings/history.php",
"https://dothebest.store/allow"
],
"domains": [
"dothebest.store",
"searchbox.info",
"updatenet.work"
]
}
}