MAL-2025-193014

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cas-base/MAL-2025-193014.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-193014
Published
2025-07-14T15:15:50Z
Modified
2026-05-11T13:46:16.915573Z
Summary
Malicious code in cas-base (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (69eb341218878aebdec66eb5a44391314921fe3c7fb387021d0684bbb91913b3)

The package contains code to install remotely stored malware and ensure its persistence. The code is not triggered automatically; it requires a separate trigger.

Originally, cas-base was detected in 2025-07 with an unclear payload. Later it got updated to a clearly malicious payload


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-07-cas-base

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • malware

  • persistence

Database specific
{
    "iocs": {
        "domains": [
            "pub-b63e77578ffe42519de7d1771935f8b0.r2.dev"
        ],
        "urls": [
            "https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Kaylew.zip",
            "https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Ddrat.zip",
            "https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Edge.zip"
        ]
    },
    "malicious-packages-origins": [
        {
            "versions": [
                "1.5.2",
                "1.5.3",
                "1.5.5",
                "1.5.6",
                "1.5.7",
                "1.5.8",
                "1.5.9",
                "1.6.0",
                "1.6.1",
                "1.6.2",
                "1.6.3",
                "1.6.5",
                "1.6.6",
                "1.6.9"
            ],
            "id": "pypi/2025-07-cas-base/cas-base",
            "modified_time": "2026-05-11T09:24:12.761069Z",
            "import_time": "2026-05-11T10:43:41.389452331Z",
            "sha256": "69eb341218878aebdec66eb5a44391314921fe3c7fb387021d0684bbb91913b3",
            "source": "kam193"
        },
        {
            "versions": [
                "1.5.2",
                "1.5.3",
                "1.5.5",
                "1.5.6",
                "1.5.7",
                "1.5.8",
                "1.5.9",
                "1.6.0",
                "1.6.1",
                "1.6.2",
                "1.6.3",
                "1.6.5",
                "1.6.6",
                "1.6.9",
                "1.7.1"
            ],
            "id": "pypi/2025-07-cas-base/cas-base",
            "modified_time": "2026-05-11T12:48:26.732492Z",
            "import_time": "2026-05-11T13:30:00.640281999Z",
            "sha256": "ebe4dad19c45d7bacbd4a1a3de525d0117559fa90434ca71f38160072a539a58",
            "source": "kam193"
        }
    ]
}
References
Credits

Affected packages

PyPI / cas-base

Package

Affected ranges

Affected versions

1.*
1.5.2
1.5.3
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.6.0
1.6.1
1.6.2
1.6.3
1.6.5
1.6.6
1.6.9
1.7.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cas-base/MAL-2025-193014.json"