-= Per source details. Do not edit below this line.=-
The package contains code to install remotely stored malware and ensure its persistence. The code is not triggered automatically; it requires a separate trigger.
Originally, cas-base was detected in 2025-07 with an unclear payload. Later it got updated to a clearly malicious payload
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-07-cas-base
Reasons (based on the campaign):
Downloads and executes a remote executable.
malware
persistence
{
"iocs": {
"domains": [
"pub-b63e77578ffe42519de7d1771935f8b0.r2.dev"
],
"urls": [
"https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Kaylew.zip",
"https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Ddrat.zip",
"https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Edge.zip"
]
},
"malicious-packages-origins": [
{
"versions": [
"1.5.2",
"1.5.3",
"1.5.5",
"1.5.6",
"1.5.7",
"1.5.8",
"1.5.9",
"1.6.0",
"1.6.1",
"1.6.2",
"1.6.3",
"1.6.5",
"1.6.6",
"1.6.9"
],
"id": "pypi/2025-07-cas-base/cas-base",
"modified_time": "2026-05-11T09:24:12.761069Z",
"import_time": "2026-05-11T10:43:41.389452331Z",
"sha256": "69eb341218878aebdec66eb5a44391314921fe3c7fb387021d0684bbb91913b3",
"source": "kam193"
},
{
"versions": [
"1.5.2",
"1.5.3",
"1.5.5",
"1.5.6",
"1.5.7",
"1.5.8",
"1.5.9",
"1.6.0",
"1.6.1",
"1.6.2",
"1.6.3",
"1.6.5",
"1.6.6",
"1.6.9",
"1.7.1"
],
"id": "pypi/2025-07-cas-base/cas-base",
"modified_time": "2026-05-11T12:48:26.732492Z",
"import_time": "2026-05-11T13:30:00.640281999Z",
"sha256": "ebe4dad19c45d7bacbd4a1a3de525d0117559fa90434ca71f38160072a539a58",
"source": "kam193"
}
]
}