MAL-2025-1996

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/superline/MAL-2025-1996.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-1996

Published

2025-01-25T16:48:57Z

Modified

2026-03-19T12:57:06.819245Z

Summary

Malicious code in superline (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (59df95892042deb7d9fd8ce71d1890aeafd0cdab2cb8bbc3948504e74ccae39e)

Importing the package starts an advanced Infostealer, probably Blank Grabber, exfiltrating browser data, wifi passwords, discord and games tokens, crypto wallets etc.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-01-superline

Reasons (based on the campaign):

exfiltration-browser-data
infostealer
exfiltration-generic
peristence-autorun
exfiltration-crypto
The package contains code to detect if it is running in a sandbox environment.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b210e097c26dad5e2008df741bf344636b53a7737e09d586f56334b3f6e684a8",
            "id": "RLMA-2025-01239",
            "versions": [
                "0.1"
            ],
            "import_time": "2025-03-03T15:07:17.464013538Z",
            "modified_time": "2025-03-03T13:45:22Z",
            "source": "reversing-labs"
        },
        {
            "sha256": "6b3ff5f0b7a3cca0b925828c2073d18c26a229abf5a51ce88f892557ef8f476d",
            "id": "pypi/2025-01-superline/superline",
            "modified_time": "2025-01-25T16:48:57Z",
            "import_time": "2025-12-02T22:30:55.616440826Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193"
        },
        {
            "sha256": "59df95892042deb7d9fd8ce71d1890aeafd0cdab2cb8bbc3948504e74ccae39e",
            "id": "pypi/2025-01-superline/superline",
            "modified_time": "2025-01-25T16:48:57Z",
            "import_time": "2025-12-02T23:07:18.656890148Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193"
        },
        {
            "sha256": "2a25715177382da7b2fc216c8e9f116e40c3bd383591ae5dcb36c51df7d1c8a0",
            "id": "pypi/2025-01-superline/superline",
            "versions": [
                "0.1"
            ],
            "import_time": "2025-12-10T21:38:57.846969601Z",
            "modified_time": "2025-01-25T16:48:57Z",
            "source": "kam193"
        },
        {
            "sha256": "af89b494a9c9d66ddcf2157d5b0c67cf8f2a122bc4d30e6d53ccaf1559c8da78",
            "id": "RLUA-2026-00788",
            "modified_time": "2026-03-18T12:19:08Z",
            "import_time": "2026-03-19T12:20:30.516297841Z",
            "source": "reversing-labs"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/superline

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / superline

Package

Name: superline; View open source insights on deps.dev
Purl: pkg:pypi/superline

Affected ranges

Affected versions

0.*

0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/superline/MAL-2025-1996.json"