MAL-2025-1975

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/farooq4321/MAL-2025-1975.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-1975
Published
2025-02-04T19:09:33Z
Modified
2026-03-19T12:53:03.181906Z
Summary
Malicious code in farooq4321 (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (165ce280a6d073eebbba054677a6c80307c8353b31e41732ba1ffc1f8a020aa4)

Code in setup.py attempts to call a webhook, but most importantly to execute a revshell


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-farooq4321

Reasons (based on the campaign):

  • The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

  • The package overrides the install command in setup.py to execute malicious code during installation.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "5e73139e6b9c692a8fe69bf7bd6afacf2d15c854fad546a90f4e18d04005c50c",
            "id": "RLMA-2025-01216",
            "import_time": "2025-03-03T15:07:15.098737294Z",
            "modified_time": "2025-03-03T13:44:53Z",
            "versions": [
                "1.0.0"
            ],
            "source": "reversing-labs"
        },
        {
            "sha256": "ceb936fd2fc63bff68bca177780c745be2347bf7b1175b52f68c58ab81e3007d",
            "id": "pypi/2025-02-farooq4321/farooq4321",
            "import_time": "2025-12-02T22:30:55.18377882Z",
            "modified_time": "2025-02-04T19:09:33Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193"
        },
        {
            "sha256": "165ce280a6d073eebbba054677a6c80307c8353b31e41732ba1ffc1f8a020aa4",
            "id": "pypi/2025-02-farooq4321/farooq4321",
            "import_time": "2025-12-02T23:07:18.192170465Z",
            "modified_time": "2025-02-04T19:09:33Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193"
        },
        {
            "sha256": "43e9a968d119c0ae87cad73f5ffae0b3acee0fd7475f0ee3205ead682390dcd7",
            "id": "pypi/2025-02-farooq4321/farooq4321",
            "import_time": "2025-12-10T21:38:57.476319903Z",
            "modified_time": "2025-02-04T19:09:33Z",
            "versions": [
                "1.0.0"
            ],
            "source": "kam193"
        },
        {
            "sha256": "8440182ffbe72f527d4f14fd778e5d27f9151c2a33847eba9800889e84ebc416",
            "id": "RLUA-2026-00315",
            "import_time": "2026-03-19T12:19:44.76580708Z",
            "modified_time": "2026-03-18T12:13:46Z",
            "source": "reversing-labs"
        }
    ],
    "iocs": {
        "domains": [
            "electronics-affiliate.gl.at.ply.gg"
        ]
    }
}
References
Credits

Affected packages

PyPI / farooq4321

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/farooq4321/MAL-2025-1975.json"