-= Per source details. Do not edit below this line.=-
Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: GENERIC-standard-pypi-install-pentest
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
{
"malicious-packages-origins": [
{
"versions": [
"0.1.0"
],
"sha256": "783e7c855dc7ca39f952e085878b2d8f6672afd6174ef7883163346fde2da810",
"modified_time": "2025-03-03T13:45:33Z",
"source": "reversing-labs",
"id": "RLMA-2025-01253",
"import_time": "2025-03-03T15:07:18.896918317Z"
},
{
"versions": [
"0.2.0",
"0.3.0"
],
"sha256": "7a3eac081596280531048d1ddd913b8c2f71c1ba50ab26ee062caa484ae0f4fe",
"modified_time": "2026-02-24T13:46:47.079003Z",
"source": "kam193",
"id": "pypi/GENERIC-standard-pypi-install-pentest/usvr-agent",
"import_time": "2026-02-24T14:25:57.386203174Z"
},
{
"sha256": "1405e2750a6a5af336cf7ff5a520f14cc72102bac8781cb4540a3e464296359f",
"modified_time": "2026-03-18T12:20:03Z",
"source": "reversing-labs",
"id": "RLUA-2026-00878",
"import_time": "2026-03-19T12:20:39.370782446Z"
},
{
"versions": [
"0.2.0"
],
"sha256": "001629f2306b8aa194cea60e8546ba1cdd5f17ba30a5b416bbd55d169fd7b23a",
"modified_time": "2026-03-24T15:22:55Z",
"source": "reversing-labs",
"id": "RLUA-2026-01689",
"import_time": "2026-04-01T12:26:13.182725011Z"
}
]
}