-= Per source details. Do not edit below this line.=-
Code in setup.py attempts to call a webhook, but most importantly to execute a revshell
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-02-farooq4321
Reasons (based on the campaign):
The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
The package overrides the install command in setup.py to execute malicious code during installation.
{
"malicious-packages-origins": [
{
"sha256": "5e73139e6b9c692a8fe69bf7bd6afacf2d15c854fad546a90f4e18d04005c50c",
"id": "RLMA-2025-01216",
"import_time": "2025-03-03T15:07:15.098737294Z",
"modified_time": "2025-03-03T13:44:53Z",
"versions": [
"1.0.0"
],
"source": "reversing-labs"
},
{
"sha256": "ceb936fd2fc63bff68bca177780c745be2347bf7b1175b52f68c58ab81e3007d",
"id": "pypi/2025-02-farooq4321/farooq4321",
"import_time": "2025-12-02T22:30:55.18377882Z",
"modified_time": "2025-02-04T19:09:33Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"source": "kam193"
},
{
"sha256": "165ce280a6d073eebbba054677a6c80307c8353b31e41732ba1ffc1f8a020aa4",
"id": "pypi/2025-02-farooq4321/farooq4321",
"import_time": "2025-12-02T23:07:18.192170465Z",
"modified_time": "2025-02-04T19:09:33Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"source": "kam193"
},
{
"sha256": "43e9a968d119c0ae87cad73f5ffae0b3acee0fd7475f0ee3205ead682390dcd7",
"id": "pypi/2025-02-farooq4321/farooq4321",
"import_time": "2025-12-10T21:38:57.476319903Z",
"modified_time": "2025-02-04T19:09:33Z",
"versions": [
"1.0.0"
],
"source": "kam193"
},
{
"sha256": "8440182ffbe72f527d4f14fd778e5d27f9151c2a33847eba9800889e84ebc416",
"id": "RLUA-2026-00315",
"import_time": "2026-03-19T12:19:44.76580708Z",
"modified_time": "2026-03-18T12:13:46Z",
"source": "reversing-labs"
}
],
"iocs": {
"domains": [
"electronics-affiliate.gl.at.ply.gg"
]
}
}