MAL-2025-2969

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kgmicolors/MAL-2025-2969.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-2969

Published

2025-02-25T20:53:05Z

Modified

2026-03-19T12:54:24.599617Z

Summary

Malicious code in kgmicolors (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (0d93708c54253e6772832d4aa1ef7f59e5f4f4c159d5ffaaa4045d8267b15b30)

Package contains hidden code that downloads a next stage script, which finally downloads and starts a malware from XWORM family as well as an infostealer

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-kgmicolors

Reasons (based on the campaign):

infostealer
Downloads and executes a remote malicious script.
malware

Database specific

{
    "iocs": {
        "urls": [
            "https://raw.githubusercontent.com/Uwu-Kagami/multi-tool/refs/heads/main/modules/base_modules/requirements/load_modules.py",
            "https://github.com/Uwu-Kagami/ConfigSecurityPolicy/raw/refs/heads/main/WinSysDrivers.zip",
            "https://github.com/Uwu-Kagami"
        ]
    },
    "malicious-packages-origins": [
        {
            "modified_time": "2025-03-28T13:05:47Z",
            "sha256": "bc80c88fcc1a584c34053a62ab784fad10c283d3cfe6c35a19e8f63a72777c04",
            "source": "reversing-labs",
            "import_time": "2025-03-31T07:07:05.742684337Z",
            "id": "RLMA-2025-01967",
            "versions": [
                "0.1.0",
                "0.1.1"
            ]
        },
        {
            "modified_time": "2025-02-25T20:53:05Z",
            "sha256": "460b2269bc9b49d8cfc6a1f3e0233e91670c10ccfea39af9f3ccb7ebae3b6c11",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193",
            "import_time": "2025-12-02T22:30:55.298970617Z",
            "id": "pypi/2025-02-kgmicolors/kgmicolors"
        },
        {
            "modified_time": "2025-02-25T20:53:05Z",
            "sha256": "0d93708c54253e6772832d4aa1ef7f59e5f4f4c159d5ffaaa4045d8267b15b30",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193",
            "import_time": "2025-12-02T23:07:18.324022163Z",
            "id": "pypi/2025-02-kgmicolors/kgmicolors"
        },
        {
            "modified_time": "2025-02-25T20:53:05Z",
            "sha256": "6d73015363550c22c5ee553a7780fce74d0b79656b574184fb779717fda7b5a7",
            "source": "kam193",
            "import_time": "2025-12-10T21:38:57.563117819Z",
            "id": "pypi/2025-02-kgmicolors/kgmicolors",
            "versions": [
                "0.1.0",
                "0.1.1"
            ]
        },
        {
            "modified_time": "2026-03-18T12:15:23Z",
            "sha256": "fa982acb4ba9f8d69a2901ac38a2c263287a5d10ab13ac64baf773db7df5a4ea",
            "source": "reversing-labs",
            "import_time": "2026-03-19T12:19:57.49784819Z",
            "id": "RLUA-2026-00452"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / kgmicolors

Package

Name: kgmicolors; View open source insights on deps.dev
Purl: pkg:pypi/kgmicolors

Affected ranges

Affected versions

0.*

0.1.0

0.1.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kgmicolors/MAL-2025-2969.json"