MAL-2025-2974

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/markitanalysis/MAL-2025-2974.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-2974
Published
2025-01-26T18:01:08Z
Modified
2026-03-19T12:54:29.888358Z
Summary
Malicious code in markitanalysis (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (0181af7442259bbe6dfbeec39c99bc62b711e38ec00c2ce460dc47162390c591)

If installed using source package, the package collects selected environment variables, including GITHUB_TOKEN if set, and sends to an external service. The package doesn't hide its actions at all, but there are already multiple different packages with the same code.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-01-markitanalysis

Reasons (based on the campaign):

  • The package overrides the install command in setup.py to execute malicious code during installation.

  • exfiltration-env-variables

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.0.1",
                "0.1.0"
            ],
            "id": "RLMA-2025-01972",
            "modified_time": "2025-03-28T13:05:50Z",
            "import_time": "2025-03-31T07:07:05.871223479Z",
            "sha256": "18531f9f237a5e62ca2df58868cc4b67ca096600e119e2de549de03078bc53b1",
            "source": "reversing-labs"
        },
        {
            "id": "pypi/2025-01-markitanalysis/markitanalysis",
            "modified_time": "2025-01-26T18:01:08Z",
            "import_time": "2025-12-02T22:30:55.324523284Z",
            "sha256": "03e02ea1cd483a1827fe1bb9e76b1ee25b130d93f1771c621a7cfe07eb4793ad",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "id": "pypi/2025-01-markitanalysis/markitanalysis",
            "modified_time": "2025-01-26T18:01:08Z",
            "import_time": "2025-12-02T23:07:18.352214623Z",
            "sha256": "0181af7442259bbe6dfbeec39c99bc62b711e38ec00c2ce460dc47162390c591",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "versions": [
                "0.1.0",
                "0.0.1"
            ],
            "id": "pypi/2025-01-markitanalysis/markitanalysis",
            "modified_time": "2025-01-26T18:01:08Z",
            "import_time": "2025-12-10T21:38:57.584813903Z",
            "sha256": "0ad61b77969396f45539edb8f8a72394bf14141922f165aeb0af4858aca24875",
            "source": "kam193"
        },
        {
            "versions": [
                "0.0.1",
                "0.1.0"
            ],
            "id": "pypi/2025-01-markitanalysis/markitanalysis",
            "modified_time": "2025-01-26T18:01:08Z",
            "import_time": "2025-12-30T22:39:04.125919282Z",
            "sha256": "ccb7acf38e3c7df20d9e0b5bd52120e77ed9ea6e0c29ce58f5e2144718e71277",
            "source": "kam193"
        },
        {
            "id": "RLUA-2026-00497",
            "modified_time": "2026-03-18T12:15:52Z",
            "import_time": "2026-03-19T12:20:01.989836431Z",
            "sha256": "6e66bba612285b75bfd948b0e6695491d53f544145e6b5d146378def20d2b92f",
            "source": "reversing-labs"
        }
    ]
}
References
Credits

Affected packages

PyPI / markitanalysis

Package

Affected ranges

Affected versions

0.*
0.0.1
0.1.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/markitanalysis/MAL-2025-2974.json"