MAL-2025-2012

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/web3imports/MAL-2025-2012.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-2012
Published
2025-02-01T00:45:27Z
Modified
2026-03-19T12:58:19.481860Z
Summary
Malicious code in web3imports (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (84bb9be7600c163a4a67214f02bb476ce8498551fb0195bbe56161287d86c8cf)

Importing the module starts (through init.py) the code that download, extracts and starts a remote executable. This has been identified by any.run as a AsyncRAT. The VirtusTotal detection rate was originally at the edge of false positive, but increased significantly during a few hours.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-01-asynchelpers

Reasons (based on the campaign):

  • infostealer

  • Downloads and executes a remote executable.

  • malware

Database specific
{
    "iocs": {
        "urls": [
            "https://github.com/asynchelpers/asynchelpers/raw/refs/heads/main/configs/main/security_profiles/functionality.zip"
        ],
        "ips": [
            "104.194.151.19"
        ]
    },
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.0"
            ],
            "id": "RLMA-2025-01258",
            "modified_time": "2025-03-03T13:45:37Z",
            "import_time": "2025-03-03T15:07:19.340920792Z",
            "sha256": "4596fb5c9e777f66263d34bbda6be30d81f63ff19a84b17bef39b688f6d70c55",
            "source": "reversing-labs"
        },
        {
            "id": "pypi/2025-01-asynchelpers/web3imports",
            "modified_time": "2025-02-01T00:45:27Z",
            "import_time": "2025-12-02T22:30:55.752848504Z",
            "sha256": "5ea7b5e15abdc28f03e980217f5fc1fd3b6398c63e88a69300557d2d64ccfe96",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "id": "pypi/2025-01-asynchelpers/web3imports",
            "modified_time": "2025-02-01T00:45:27Z",
            "import_time": "2025-12-02T23:07:18.794709514Z",
            "sha256": "84bb9be7600c163a4a67214f02bb476ce8498551fb0195bbe56161287d86c8cf",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "versions": [
                "1.1.0"
            ],
            "id": "pypi/2025-01-asynchelpers/web3imports",
            "modified_time": "2025-02-01T00:45:27Z",
            "import_time": "2025-12-10T21:38:57.96173258Z",
            "sha256": "99b3b2bc5582277a557d1f3e8f547605c4f3a4f93fee23a0e83fdb815b960987",
            "source": "kam193"
        },
        {
            "id": "RLUA-2026-00918",
            "modified_time": "2026-03-18T12:20:29Z",
            "import_time": "2026-03-19T12:20:43.405118809Z",
            "sha256": "f48817572f00f6257470c77e8477ba54388fb446e58cb404f6feb992a30fa70a",
            "source": "reversing-labs"
        }
    ]
}
References
Credits

Affected packages

PyPI / web3imports

Package

Affected ranges

Affected versions

1.*
1.1.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/web3imports/MAL-2025-2012.json"